ate 

:anasmT plement 


^ data  leakage 


prevention 
tools  PAGE1Z 


Reducing 

Risks 

Case  study: 
Harland  Clarke 
reworks  its  risk 
management 
PAGE  38 


October  2007  $9.00  www.csoonline.com 


/ 


m 


Wilmlm 


limmh 


$»MS 

. 

feMlllSI 


'S'ource:'"Business  Continuity  Unwrapped,”  Continuity  Central,  2006,  www.continuitycentral.com/feature0358.htm.  IBM,  the  IBM  logo,  System  p,  Take  Back  Control  and  Tivoli  are 
trademarks  or  registered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©20Q7  IBM  Corporation.  All  hghts  reserved 


r  v#i 

wfwm 

Imim 

#}  i  f ItfPf  mllui 

.INFRASTRUCTURE  LOG 

.DAY  82:  There  are  so  many  risks  out  there.  So  many  things 
that  can  happen  to  our  business:  natural  disasters,  spikes 
in  traffic,  mergers.  How  do  we  prepare?  One  in  three 
companies  don’t  recover  from  unplanned  downtime.1  Would  we? 

Gil  has  wrapped  everything  in  the  office  with  bubble  wrap. 
Everything.  Just  to  be  safe. 

DAY  83:  Im  preparing  with  IBM  Business  Resilience  Solutions. 
IBM  Business  Continuity  Services  can  help  us  assess  our  risks 
and  design  a  proactive  plan  to  deal  with  them.  IBM  Tivoli  gives  us 
the  visibility  to  diagnose  and  fix  infrastructure  problems. 

And  the  robust  availability  features  of  the  IBM  System  p™  give 
us  maximum  uptime.  The  future  feels  so  much  safer  now. 

_No  more  bubble  wrap.  And  I  have  to  mail  a  package.  Great. 


S 


Take  the  business  continuity  assessment  at: 

IBM.COM/TAKEBACKCONTROL/READY 


October  2007  Vol.  6,  No.  9 


Features... 

26  Ram  Charan:  The 
Business  of  Security 

Interview  Lynn  Mattice,  C50  of 
Boston  Scientific,  quizzes  the  man 
Fortune  magazine  calls  “the  most 
influential  business  consultant 
alive”  about  how  security  executives 
can  better  serve  the  business. 

30  The  End  of 
Innocence 

Cover  Story:  Global  Security 
Survey  Five  years  ago,  when  CSO, 
CIO  and  PricewaterhouseCoopers 
collaborated  on  the  first  “Global 
State  of  Information  Security”  survey, 
very  few  people  knew  how  bad 
the  problem  was.  Now  everyone 
knows.  They  just  don’t  know  how 
to  fix  it.  By  Scott  Berinato 

38  Checks  and 
Balances 

Case  Study:  Risk 
Management  Harland  Clarke 
Holdings  wanted  to  remake  its 
business-and  its  approach  to  security 
had  to  keep  up.  By  Mary  Brandel 

42  iron  Giant 

Information  Security  Barry 
Schrager,  the  original  architect  of 
mainframe  security,  hasn’t  lost  faith 
that  his  approach  to  securingthe 
enterprise  is  the  superior  approach. 


Also  Inside... 


4  From  the  Editor 
6  From  the  Publisher 

8  Join  the  Discussion 

CSOonline  readers  debate 
Agile  programming. 


44  Happy  Campers 
Undercover  Juggling  the 
needs  of  top  performers 
and  less-seasoned  team 
members  can  be  difficult, 
but  it’s  critical  to  everyone’s 
growth. 


12  Toolbox 

Dos  and  Don’ts  for  Data 
Loss  Prevention  Sensitive 
information  requires  extra 
protection;  with  intelligent 
use,  these  tools  can  help; 
Gartner’s  vendor  list 
By  Mary  Brandel 


46  PCI:  Smart  or  Stupid? 
Industry  View  The  data 
security  standard  isn’t  as 
complex  as  some  would  have 
you  believe.  ByBenRothke 

48  Debriefing 

Ask  the  Paranoiac 


17  Briefing 

The  return  of  ransomware; 
Tainted  cargo;  DHS  continues 
to  improve  its  grant  program; 
How  tospamproofyour 
inbox;  Terror  tracker; 

How  train  nuts  are 
keeping  America’s 
railways  safe 


CSO  (ISSN  1540-904X)  is  published  monthly  except  tor  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.0.  Box  9208,  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham.  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.Box  1632,  Windsor,  ON  N9A7C9.Copyright2007  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  isforbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  orthe  internal  or  personal  use  of  specific  clients  isgranted 
by  CSOfor  users  through  the  Copyright  Clearance  Center,  provided  thatafeeof  $3.50  per  copyof  the  article  is  paiddirectlytoCopyrightClearance  Center,222  Rosewood  Drive.  Danvers,  MA01970.  www.copyright.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— followed  by  thissymboht  Address  inquiriestoCSO.P.O.  Box  3482,  Northbrook,  1160065:866  354-1125.  CSO  is  free  to  qual  if  ied  security  executives. 
To  all  otherstheone-year  basic  rate  is  $70for  the  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  Thesingle  copy  price  is  $9  totheU.S.  and  Canada  and  $15  International.  Please  allow  four  tosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO.  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  October  2007 


Cover  illustration  by  Guy  Billout 


Vance  Uniformed  Protection  is  now  Garda  - 

A  new  name  for  the  security  team  you  know  &  trust 


Experienced  team 


Exceptional  value 


Reduced  risk 


Peace  of  mind 


j 

Consistent  service 


For  decades,  Fortune  500  corporations  and  sensitive  government 
agencies  alike  have  trusted  Vance  Uniformed  Protection  to  secure 
personnel,  property  and  assets.  Rigorous  screening  produces  quality 
security  officers.  Rigorous  training  and  supervision  requirements 
yield  consistent,  reliable  services  that  reduce  risk  and  deter  criminal 
activity.  Now  part  of  Garda,  Vance  Uniformed  Protection  continues 
to  deliver  unsurpassed  value,  maximizing  client  budgets  by  offering 
superior  security  programs  at  a  competitive  price. 


In  fact,  only  our  name  has  changed.  The  same  men  and  women — 
from  the  company’s  seasoned  management  team  to  its  experienced 
security  officers — provide  exceptional  value  and  service  with  a 
total  commitment  to  quality,  day  in  and  day  out. 

Under  the  Garda  name,  Vance  Uniformed  Protection  experts 
continue  to  protect  your  people  and  assets.  We  use  the  same 

screening,  training,  employee-retention  programs  and  the  same 
quality-assurance  standards  to  deliver  the  service  consistency 
and  peace  of  mind  that  you  have  come  to  expect. 


GARDA 


Contact  our  experts  at  800.533.6754  or  info@gardasecurity.com 
to  upgrade  your  security  program,  gardasecurity.com 


FORMER  LY  VANCE 


[  FROM  THE  EDITOR  ] 


New  Package! 
AND  Improved 
Taste! 

Consumer  goods  is  a  funny  industry. 
Occasionally  you  get  a  relatively  new 
product  (various  Swiffers  being  one 
adopted  with  great  enthusiasm  in  my 
household),  but  mostly  you  get  tiny  incremen¬ 
tal  improvements.  In  fact,  the  more  strident 
the  marketing,  the  greater  the  likelihood  that 
the  actual  change  is  quite  small  (“Pringles— 
now  available  in  SNACK  SIZE!!”). 

As  I  mentioned  last  month,  CSO  is  now  five 
years  old,  and  we’ve  celebrated  by  remodeling. 
This  issue  of  CSO  is  a  mix  of  new  product  and 
new  packaging. 

You’ll  still  find  long-standing  favorites:  the 
Briefing  section  (Page  17);  its  humorous  back¬ 
page  companion,  Debriefing  (Page  48);  and 
the  ever  popular  Undercover  column  (Page 
44).  And  of  course  our  feature  articles,  which 
provide  in-depth  exploration  of  the  subjects 
and  tasks  most  central  to  your  job. 

New  stuff  includes  Join  the  Discussion 
(Page  8)— with  roughly  a  dozen  security  pros 
blogging  on  CSOonline.com,  we  wanted  to 
bring  some  of  the  lively  debate  into  our  pages 
and  invite  you  to  join  in.  We’ve  also  created  a 
new  section  called  Toolbox  (Page  12)  to  do  a 
better  job  of  providing  you  with  guidance  in 
evaluating,  purchasing  and  implementing  soft¬ 
ware,  equipment  and  services;  this  month’s 
edition  covers  the  relatively  new  category  of 
tools  known  by  the  unfortunate  moniker  “data 
leakage  prevention.”  Freelancer  Mary  Brandel 
offers  great  practical  insight  into  these  tools;  I 
think  you’ll  find  Toolbox  extremely  useful. 


Historically,  our  magazine  has  presented 
the  point  of  view  of  the  practitioner-the 
vast  majority  of  our  articles  are  based  on 
interviews  with  CSOs  and  CISOs  who  oversee 
the  security  function  in  private  or  public  orga¬ 
nizations.  That  will  continue  to  be  the  case,  but 
we’ve  now  added  the  Industry  View  column 
(Page  46)  to  draw  directly  on  the  expertise  of 
the  many  smart  analysts,  consultants  and  ven¬ 
dors  working  in  security.  You’ll  find  additional 
Industry  View  columns  on  our  website. 

One  lesson  from  consumer  goods  market¬ 
ing  is  the  importance  of  appearance.  Our  whiz- 
bang  art  director,  Steve  Traynor,  has  taken 
the  opportunity  to  refresh  and  sharpen  CSO’ s 
presentation.  I  hope  that  you  are  as  delighted 
with  the  results  as  I  am. 

The  aim  remains  to  make  CSO  not  only 


informative,  engaging  and  easy  to  read, 
but  also  of  such  quality  that  it  reflects  the 
importance  of  the  profession.  You  should  feel 
confident  that  if  you  present  CSO  articles  to 
your  CEO,  he  or  she  will  be  impressed. 

Have  we  hit  the  mark?  Let  me  know.  I  think 
we  have,  but  after  all,  my  opinion  doesn’t 
count  for  much.  It’s  all  about  the  consumer. 

-Derek  Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Executive  Editor  Scott  Berinato 
Senior  Editor  Sarah  D.  Scalet 
Associate  Staff  Writers 
Christopher  Lynch,  Katherine  Walsh 
Copy  Chief  Dave  Gradijan 
Copy  Editor  Susan  Bryant-Still 
Editorial  Assistant  Kristin  Burnham 
Editorial  Administrator 
Jill  Paquette 

Contributors  Daintry  Duffy 

DESIGN 

Executive  Director,  Art  and 
Design  Mary  Lester 
Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 
Senior  Research  Analyst 

Seanna  Maguire 

ONLINE  EDITORIAL 

Online  Editorial  Director 
Christopher  Lindquist 
Online  Managing  Editor 
Michael  Goldberg 
Senior  Online  Editors 
Meridith  Levinson,  Shawna  McAlearney, 
Esther  Schindler 
Associate  Online  Editor 
Diann  Daniel 
Online  Writer  Al  Sacco 

CXO  MEDIA /IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Lynn  Mattice,  Boston  Scientific 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path,  P.O.  Box 
9208,  Framingham,  MA  01701-9208 
Main  phone  number:  508-872-0080 


CXOXMEDIA  INC 


INTERNATIONAL  DATA  GROUP 

Board  Chairman 
Patrick  J.  McGovern 
President,  IDG  Communications 
Bob  Carrigan 


#BPA 


WORLDWIDE' 


4  www.csoonline.com  October  2007 


Photo  by  Webb  Chapell 


Your  next 
attacker  will  be 
highly  motivated. 


Fortunately, 
so  are  we. 


If  it’s  worth  storing,  it’s  worth  stealing.  We  know 
because  we’re  SecureWorks,  and  nobody  is 
better  positioned  to  defend  your  network.  Our 
client-dedicated  security  analysts  work  round- 
the-clock  supported  by  the  industry-leading 
counter-threat  unit  and  state-of-the-art  threat 
correlation  platform  —  all  to  ensure  your 
company  and  your  reputation  remain  intact. 


www.secureworks.com 

©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the 
SecureWorks  logo  are  registered  trademarks  of  SecureWorks. 


15  24  N  44  14  E 


[  FROM  THE  PUBLISHER  ] 


Complacency 
Can  Be  a 
Dangerous 
Thing 

I  think  my  paranoia  is  getting  to  me  again. 
I’m  seeing  complacency  everywhere  I  look 
and,  frankly,  it’s  pretty  unsettling.  I’ve 
watched  the  memory  of  9/11  sink  into  the 
background  of  Americans’  minds,  replaced 
with  a  belief  that  since  nothing  has  happened 
since  2001,  we  must  be  safe.  Time  can  be  a 
powerful  driver  of  complacency. 

I  have  also  watched  our  businesses  and 
organizations  become  complacent  in  their 
efforts  to  secure  their  assets.  It  has  been  years 
since  we’ve  had  any  sort  of  major,  widespread 
malware  attack.  While  many  security  profes¬ 
sionals  understand  that  the  risk  has  never  left 
(it’s  only  changed),  our  business  leaders  are 
falling  into  the  mind-set  that  “it's  been  years; 
we  must  be  safe.”  This  directly  impacts  our 
ability  to  protect  our  nation  and  our  businesses 
because  as  you  seek  to  justify  the  investments 
in  security  that  you  know  must  be  made,  you 
will  encounter  skepticism  of  the  threats.  And  for 
the  investments  that  have  already  been  made, 
your  judgment  will  be  called  into  question. 

CSO  recently  completed  its  fourth  annual 
“E-Crime  Watch  Survey”  in  cooperation  with 
the  United  States  Secret  Service,  the  Carnegie 
Mellon  University  Software  Engineering 
Institute’s  CERT  Program  and  Microsoft.  This 
year’s  study  had  some  interesting  findings: 

■  58%  of  e-crimes  were  committed  by 
outsiders,  26%  by  insiders  and  for  17%,  the 
source  was  unknown. 

■  22%  of  security  events  were  targeted 
specifically  at  the  company  that  was 
attacked,  and  that  number  is  growing,  as 
are  financial  losses  resulting  from  those 
targeted  attacks. 


■  Information  security  budgets  fell  5%.  Effec¬ 
tive  policies  and  procedures,  like  using 
background  exams  on  new  employees  and 
contractors,  fell  to  57%  from  73%,  while 
employee  security  awareness  training  fell 
by  more  than  half. 

The  study  also  found  a  continuing  focus 
on  the  use  of  traditional  perimeter  technolo¬ 
gies  (firewalls,  IDS/IPS,  etc.)  even  though  the 
increasingly  targeted  attacks  being  perpe¬ 
trated  are  designed  to  bypass  those  defenses. 
So  are  security  executives  being  smarter  about 
how  to  defend  their  enterprises?  I  hope  so. 
Does  it  mean  they  are  truly  more  secure?  I 
doubt  it.  Hear  that  rumbling  in  the  distance? 

It  may  be  senior  management  beginning  to 
question  the  value  of  your  security  investment. 
When  they  ask,  “Were  we  not  attacked  because 


our  security  was  so  good,  or  was  it  because  we 
weren’t  going  to  be  attacked  in  the  first  place?” 
it  may  be  too  late. 

If  the  answer  is  because  security  is  so  good, 
and  senior  management  realizes  it,  then  you 
have  done  your  job  well  and  it  is  recognized.  If 
the  answer  is  the  latter,  then  you  better  start 
getting  your  resume  in  order. 

-BobBragdon,  bbragdon@cxo.com 


Advertiser  Index 


ASIS  International  . 21 

BigFix,  Inc . 7 

CXO  Media  Inc .  23,45,47 

Cyveillance . C3 


Garda . 3 

Hewlett-Packard  Co . 37 

HID  Corp . 11 

IBM  Corp . C2 

Intel  Corp . 9 

(ISC)2 . 16 


Juniper  Networks  Inc . 13 

RSA  Security  Inc . 24, 25 

SecureWorks . 5 

Unisys  Corp . 19 

Verisign  Inc . C4 


Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 

Roz  Burke 

West  Coast  Regional  Manager 

Drew  Seifried 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialist 
Valerie  Sumner 
Online  Advertising  Specialist 
Irina  Gabechiia 
Online  Ad  Sales  Associate 
Devon  Slattery 

Online  Account  Services  Coordinator 

Hayley  Nickerson 

CSO  EXECUTIVE  COUNCIL 

Managing  Director  Bob  Hayes 
VP,  Research  and  Product 
Development  Kathleen  Kotwica 
Director,  IT  and  Product  Technology 

Greg  Kane 

Operations  and  Production  Specialist 
Jayne  Marcucella 
Member  Services  Manager 

Elizabeth  Lancaster 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs  Ellen  Daly 
Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 

National  Sales  Manager  Per  Melker 
Senior  Conference  Producer 
Judith  Kittredge 
Event  Planner  Sarah  Reagan 
Event  Coordinator  Bethany  Whiffin 
Registration  Specialist  Cress  O'Brien 
Client  Services  Specialist  Erica  Foster 
Sales  Associate  Nicole  Blackburn 

CIRCULATION 

Senior  VP/Circulation  Carol  A.  Spach 
Subscription  Services  Supervisor 

Tina  Pescaro 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcapone@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
Reprint  Management  Services  at 
800  290-5460,  ext.  100,  or  e-mail 
cso@reprintbuyer.com 


6  www.csoonline.com  October  2007 


Photo  by  Christopher  Navin 


ONE  BATTLEFIELD 
ONE  AGENT 


\  •  -Vt : 

V.V."!  >Vv2 


Contrary  to  the  impotent  baloney 
"  from  McAfee/Symantec/et  al,  it  does 
not  take  weeks  and  an  army  of  servers 
to  secure  all  your  computers.  You 
just  need  one  can  of  BIGFIX 
whup-ass. 

■  What  can  you  do  from  one 

console  with  a  single,  policy- 
driven  BIGFIX  agent?  Flow  about 
continuously  discovering, 
assessing,  remediating,  optimizing 
and  enforcing  the  health/security  of 
hundreds  of  thousands  of 
computers  in  minutes?  Yup.  Minutes. 

Schedule  a  free  trial  showing 
how  fast  we  empower  you  at 
www.biafix.com/oneaaent. 
or  call  510-652-6700 
xl  16.  We’ll  also  send  you 
this  poster  of  BIGFIX’s 
f  cleanup  agent  doing  a 
little...  reconnaissance 
in  force. 

Windows,  Vista, 
Linux/Unix  and  Mac 
systems.  Nobody  else 
can  do  this.  And  we’re 
making  sure  everyone 
else  is  more  than  a  SMi 

i  •  1 1 1  i  i  tfcasisSi 


BIGFIX 


little  embarrassed 
about  it. 


Never  before  have  so  few  done  so  much,  so  fast,  for  so  many. 


©2007  BIGFIX.  BIGFIX  and  its  logo  are  registered  trademarks  of  BIGFIX,  Inc.  All  other  trademarks  are  acknowledged.  Illustration  by  Daryl  Mandryk. 


■  ■  -i  ^ 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 

4 


BLOG  POST 

Agile  Debate 

Excerpts  from  Jeff  Bardin’s 
questioning  of  Agile  programming 
security  practices 

Agile  software  development 
is  a  conceptual  framework 
for  undertaking  software 
engineering  projects  that 
embraces  and  promotes 
evolutionary  change  throughout  the  entire 
lifecycle  of  the  project.  What  it  does  not  do 
is  incorporate  information  security  risk 
into  the  process.  It  is  another  way  to  keep 
costs  down  in  the  development  process  but 
was  created  by  those  without  any  inkling 


MORE  ON  THE  WEB 

World  View 

“Six  years  on  from 
the  9/11  attacks,  the 
increase  in  security 
is  beginning  to 
erode  America’s 
larger  interests.” 

-CISO  Paul  Raines  in  his 
online  World  View  column 
at  http://www2.csoonline 
.com/exclusives/column 
.html?CID=33167 


of  what  it  means  to  include  security  in  any 
process  whether  iterative  or  waterfall -like. 

Agile  methods  emphasize  real-time 
communication,  preferably  face-to-face, 
over  written  documents.  Ergo,  very  little 
consideration  is  given  to  documenting 
critical  transactions,  compliance  issues, 
access  management,  roles,  etc.  Most  Agile 
teams  are  located  in  a  bullpen  and  include 
all  the  people  necessary  to  finish  software 
but  not  to  write  proper  software  free  of 
vulnerabilities.  At  a  minimum,  this  would 
include  programmers  and  their  “custom¬ 
ers”  (customers  are  the  people  who  define 
the  product;  they  may  be  product  manag¬ 
ers,  business  analysts  or  actual  custom¬ 
ers).  The  bullpen  may  also  include  testers, 
interaction  designers,  technical  writers 
and  managers  (but  no  mention  of  anyone 


with  a  security  bent).... 

[Agile’s]  concepts  are  fine  but  lacking. 
If  you  hear  of  agile  methods  in  your  envi¬ 
ronment,  muscle  your  way  in  or  the  sheer 
speed  of  their  efforts  (and  the  fact  they  will 
see  infosec  as  a  governor  on  the  throttle) 
will  produce  multiple  iterations  that  are 
moved  to  production  before  you  can  get 
involved! 

-Jeff Bardin 

COMMENT 

JEFF,  WHILE  MY  research  and  experi¬ 
ence  might  indicate  that  your  blog  might 
have  some  valid  inspiration,  regrettably  I 
cannot  agree  with  your  post,  which  throws 
out  unsubstantiated  claims  about  Agile 
and  makes  a  poor  linkage  to  the  very  chal¬ 
lenges  that  exist.  Comments  such  as  “incor¬ 
porates  insufficient  software  design”  are 
unhelpful  and  only  drive  a  wedge  between 
the  software  development  and  security 
communities. 

Indeed,  I  use  Agile  techniques  for  my 
security  development  projects  and  find 
them  to  be  highly  valuable,  so  I’d  have  to 
call  you  on  your  polemic. 

Instead,  if  this  had  been  researched 
thoroughly  and  based  on  real  interaction 
with  Agile  teams,  the  issues  you  should 
have  raised  might  have  included: 

1.  Agile  requires  that  a  security  special¬ 
ist  be  part  of  the  team.... 

2.  A  lack  of  documentation  means  that 
traditional  approaches  to  risk  assessment 
need  to  be  discarded.... 

3.  A  relative  lack  of  understanding  of 
threat  modeling  and  other  security-spe¬ 
cific  knowledge  and  techniques  means  that 
Agile  teams  without  specialized  security 
knowledge  are  at  risk  of  developing  inse¬ 
cure  code.... 


8  www.csoonline.com  October  2007 


Photo  by  istockphoto 


MULTIPLY  MOBILE  SECURITY 
AND  MAXIMIZE  CONFIDENCE. 


INTRODUCING  NEW  INTEL®  CENTRINO®  PRO  PROCESSOR  TECHNOLOGY. 

Deploy  security  upgrades  to  notebooks  remotely,  even  if  they're  powered  off*  Automatically  isolate  an 
infected  notebook  before  it  infects  other  devices.  Vyith  64-bit  capable  Intel  Centrino  Pro  processor  technology, 
powered  by  the  Intel®  Core™2  Duo  processor,  you  multiply  your  poiwer  to  manage  your  systems. 
Learn  more  about  why  great  business  computing  starts  with  Intel  inside.  Visit  intel.com/centrinopro 

*intel*  Active  Management  TeclViology  require^  the  platform  totiave  an  enabled  chipset  with  connection  to  a  power  source  and  corporate  network,  Capabilities-may  be  limited  on  6 
powered  off.  Learn  more  at  intel/om/technology/manage/iamt/  ©2007  Intel  Corporation  Intel,  the  Intel  logo,  Intel.  Leap  ahead.,  Intel.  Leap  ahead,  Logo,  Intel  Centrino.Centnno,  Intel  Core  ar 


Centrino 


a  \ . 

>>  DISCUSSION 


4.  Agile’s  documentation  preferences 
make  security  certification  difficult.... 

Having  said  all  that,  I  know  Agile  teams 
can  develop  secure  software,  but  one  real 
problem  is  that  development  teams  lack 
security  expertise  and  no,  code  quality 
does  not  equal  secure  software— that’s  so 
Eighties  (WEP  had  few  “code  errors”— it 
was  the  design,  stupid!).  The  other  is  that 
the  information  security  community  does 
not  understand  software  development,  let 
alone  modem  software  development,  and  is 
still  trying  to  apply  old-fashioned  waterfall- 
based  CISSP  “best”  practice  to  the  problem. 

-Denis  Verdon 


COMMENT 

THIS  POSTING  IS  written  by 
someone  who  has  never  experi¬ 
enced  a  disciplined  Scrum  team. 
The  best  security  infrastructure 
in  health  care  was  written  by  a 
Scrum  team  at  PatientKeeper.  Teams  of 
developers  in  the  largest  healthcare  systems 
in  the  U.S.  have  dedicated  weeks  of  time  try¬ 
ing  to  crack  it  and  no  one  has  ever  been  able 
to  penetrate  it.  NIST  documented  it  in  an 
IEEE  Journal.  Your  disinformation  is  not 
surprising  as  less  than  10  percent  of  those 
who  say  they  are  doing  Scrum  can  pass  the 
basic  Nokia  test  that  Nokia  Networks  uses 
for  their  hundreds  of  Agile  Scrum  teams... 

Disciplined  Agile  teams  are  about 
delivering  software  like  Toyota  delivers 
cars.  They  can  be  better  than  four  times  as 
productive  with  12  times  the  quality  of  com¬ 
petitors  on  security  infrastructure  as  well 
as  everything  else  they  do.  The  defect  rate 


on  the  Agile  Motorola  team  was  about  two 
bugs  per  10,000  lines  of  code.  The  world 
record  for  any  software  project  is  0.7  defects 
per  10,000  lines  of  code.  Have  you  checked 
the  defect  rate  in  your  blog  lately? 

-Jeff  Sutherland 

BLOG  POST 

Microsoft 
vs.  Apple 

Imagine,  if  you  will,  a  battle  of  epic 
proportion.  Two  massive  armies  take 
sides  on  the  battlefield,  each  side  clad 
in  polished  armor.  Sweat  rolls  down 
a  wrinkled  brow  as  the  noonday  sun 
blisters  overhead.  Battle  cries  echo  off  of  the 
shining  armor  and  armies  surge  forward. 
The  attack  begins... 

It’s  over  in  an  instant.  Battered  and 
bloodied  bodies  are  strewn  as  far  as  the 
horizon.  The  victor  stands  in  the  middle 
of  the  field  surveying  the  evidence  of  his 
power  in  the  mass  of  destruction  surround¬ 
ing  him.  Both  armies  were  conquered  by  a 
third.  Neither  general  considered  the  third 
army  a  threat,  but  the  third  general  had 
a  secret  weapon.  He  knew  each  army’s 
weakness. 

The  battle  between  Microsoft  and  Apple 
over  who  has  the  most  secure  platform  has 
been  fought  for  years.  Billions  in  advertis¬ 
ing  dollars  have  been  spent  to  convince 
us  that  each  is  more  secure  than  the  other. 
Countless  articles  and  blogs  have  been  writ¬ 
ten  touting  one  vendor’s  security  over  its 
competitor.  Patches  are  released,  exploits 
are  found,  and  life  goes  on. 

In  the  end  does  it  really  matter  who  is 
more  secure?  I  suppose  in  some  ways  it 
does,  but  consider  this.  If  Microsoft  and 
Apple  were  to  refocus  their  energies  into 
actually  building  more  secure  software 
rather  than  hyping  the  illusion  of  security, 
wouldn’t  everyone  benefit? 

Recent  articles  on  Darknet  and  in  PC 
Magazine  bash  Microsoft’s  Vista  doubting 
both  its  security  and  its  stability.  Others,  I 
am  sure,  bash  Apple  in  the  same  regard.  It’s 
about  time  that  everyone  wakes  up.  As  long 
as  we  are  dependent  upon  technology  there 
will  be  those  who  attempt  to  exploit  it.  The 
Department  of  Homeland  Security,  busi- 


HOWTO 
REACH 
US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.csoonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 

Scott  Berinato,  Executive  Editor 
sberinato@cxo.com 
508  988-7587 

Sarah  Scalet,  Senior  Editor 
sscalet@cxo.com 
973  338-0059 

Katherine  Walsh, 

Associate  Staff  Writer 
kwalsh@cxo.com 
973 338-0059 

Subscriber  Services 

Phone:866  354-1125 
Fax:847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  Reprint  Manage¬ 
ment  Services,  800  290-5460, 
ext.  100,  cso@reprintbuyer.com 

ness  and  higher  education  all  work  hard  to 
protect  both  their  internal  assets  and  the 
infrastructure  that  they  are  responsible  for. 
In  many  respects  the  three  work  together 
to  share  information  and  fight  for  the  com¬ 
mon  good. 

[But]  we  are  losing  the  war  at  our  flanks. 
Vendors  fail  to  commit  to  building  more 
secure  platforms,  rush  products  to  market 
without  fully  vetting  them  and  refuse  to 
open  source  code  for  peer  review.  There  is 
a  security  war  going  on  all  around  us  and 
unfortunately  it  is  between  the  only  two 
powers  that  can  have  a  true  impact.  Until 
there  is  a  truce,  we  are  all  in  the  middle  of 
this  crossfire. 

-  Chad  McDonald 


10  www.csoonline.com  Month  2007 


Photo  by  istockphoto 


The  HID  RP40  multiCLASS™  Reader  reads  the  most 
popular  proximity  cards  and  smart  cards.  It’s  the 

ultimate  migration  solution.  The  RP40  is  a  multi-technology 
card  reader  that  makes  it  easy  to  upgrade  a  proximity  card  system  to  a 
13.56  MHz  contactless  smart  card  technology  such  as  HID  iCLASS®. 
Whether  you’re  making  the  transition  in  a  single  building  or  across 
multiple  facilities,  you  can  do  it  at  your  own  pace,  employing  multiple 
card  technologies.  Unlike  other  “smart”  card  readers  that  only  scan  the 
serial  numbers  of  iCLASS,  the  RP40  offers  the  enhanced  security  of 
mutual  authentication  and  data  encryption.  Convenient.  Flexible. 

Secure.  For  the  perfect  migration  path,  The  HID  RP40  multiCLASS  is 
required  reading. 


hidcorp.com 


By  Mary  Brandel 


Dos  and  Don’ts  for 
Data  Loss  Prevention 


Sensitive  information  requires  extra  protection; 
with  intelligent  use,  these  tools  can  help 


Data  loss  prevention  (DLP) 
tools— also  known  as  data 
leakage  prevention  or  con¬ 
tent  monitoring  and  filtering 
(CMF)  tools— are  intended 
to  prevent  inadvertent  or  intentional  expo¬ 
sure  of  sensitive  enterprise  information. 
According  to  consultancy  Gartner,  they  do 
this  by  identifying  content,  tracking  activ¬ 
ity  and  potentially  blocking  sensitive  data 
from  being  moved.  When  Jack  in  account¬ 
ing  tries  to  e-mail  customer  records  to  his 
home  PC— or  perhaps  copy  the  data  to  a 
USB  drive— DLP  software  can  warn  Jack 
and/or  stop  the  action. 

Gartner,  which  says  this  market  tripled 
from  $50  million  in  2006  to  $150  million  in 
2007,  offers  the  following  functions  as  basic 
requirements  for  DLP  software: 

■  Perform  content -aware,  deep  packet 
inspection  on  network  traffic,  includ¬ 
ing  e-mail  and  other  protocols. 

■  Track  complete  sessions— not  indi¬ 
vidual  packets— for  analysis. 

■  Use  statistical  and  linguistic  analysis 
techniques  beyond  simple  keyword 
matching  for  detection  (for  example, 
advanced  regular  expressions, 
document  fingerprinting  or  machine 
learning). 

■  Detect,  block  or  control  the  usage 
of  (for  example,  saving,  printing  or 
forwarding)  specific  content  based  on 
established  rules  or  policies. 


■  Monitor  network  traffic  for,  at  a 
minimum,  e-mail  traffic  and  other 
channels/protocols  (HTTP,  IM,  FTP) 
and  analyze  across  multiple  channels, 
in  a  single  product  and  using  a  single 
management  interface. 

■  Block,  at  a  minimum,  policy  violations 
over  e-mail. 

The  tools  can  be  classified  in  three 


groups: 

Network-based  tools,  which  sit  at  the 
edge  of  the  network,  monitor  data  flowing 
through  the  network  and  in  some  cases 
filter  or  block  data  movement;  host-based 
tools,  which  require  an  agent  to  be  installed 
on  individual  PCs  and  servers,  monitor 
static  data  on  these  systems  and,  in  some 
cases,  block  or  control  actions  that  users 


12 


www.csoonline.com  October  2007 


Illustration  by  Colin  Johnson 


!  NETWORKS 


mm 


P»n+  1"° KZy  feeH 

1 * 


»  Hackers  love  company.  Your  company.  Today,  criminals  are  methodically  targeting 
corporations,  orchestrating  attacks  to  steal  confidential  information:  “Hacking  for  profit.” 

In  addition  to  stopping  worms,  viruses  and  phishers,  you  need  to  crush  these  new, 
systematic  assaults  —  from  botnets  to  trojans.  Juniper  Networks  comprehensive, 
cost-effective  threat  management  solutions  provide  uncompromising  defense  for  your 
network.  Only  Juniper  takes  a  uniquely  holistic  approach,  dispatching  dedicated  protec¬ 
tion  to  every  network  and  application  layer  vulnerability  and  making  any  network  more 
secure:  www.juniper.net/threatmanagement 


Juniper  , 
‘  oOv 


C/Net 


1.888. JUNIPER 


>>  TOOLBOX 


can  take;  and  systems  that  combine  both  of 
these  capabilities.  Ultimately,  Gartner  says, 
tools  will  not  only  monitor  but  also  block 
any  channel  on  the  network  and  hosts  from 
which  data  can  be  stolen,  including  the  net¬ 
work  interface,  within  the  operating  system 
and  between  applications.  This  requires 
much  deeper  integration  with  servers  and 
desktops.  For  instance,  agents  running  on 
local  hosts  could  stop  someone  from  down¬ 
loading  sensitive  data  through  a  USB  drive, 
printing  it  and  walking  out  the  door.  While 
vendors  have  significant  plans  in  this  area, 
product  offerings  are  unlikely  to  become 
available  in  2007,  Gartner  says. 

Gartner  says  its  clients  find  host-based 
systems  more  difficult  to  manage  and 
less  sophisticated  in  detections.  “If  some¬ 
one  came  onto  the  network  with  a  laptop 
[that  didn’t  have  an  agent  installed  on  it], 
they  could  gain  access  to  files,  and  you’d 
never  have  insight  into  that  activity,”  says 
Rich  Mogull,  research  VP  at  Gartner.  He 
sees  host-based  capabilities  as  critical  but 
believes  a  combination  of  both  approaches 
is  ideal.  “You  should  have  one  management 
console  for  data  discovery,  data  in  motion, 
data  in  use  and  data  on  the  endpoint  sys¬ 
tem,”  he  says. 

Here  are  critical  dos  and  don’ts  for  eval¬ 
uating  and  using  DLP  tools,  based  on  input 
from  CSOs  and  analysts: 

DO  think  about  network  requirements. 


Nearly  every  DLP  product  claims  to  sup¬ 
port  Gigabit  Ethernet  speeds  without 
packet  loss  or  significant  latency,  according 
to  Gartner;  however,  the  company  says,  few 
products  can  actually  function  at  gigabit 
speeds  in  a  production  environment.  Here’s 
what  Gartner  says  companies  need  in  terms 
of  relevant  sustained  bandwidth. 

■  Large:  200M  bps  to  500M  bps 

■  Medium:  50M  bps  to  200M  bps 

■  Small:  Less  than  50M  bps 

When  Scott  Mackelprang,  vice  presi¬ 
dent  of  security  and  compliance  at  Digital 
Insight,  implemented  a  tool  from  Tablus,  he 
worked  intimately  with  network  adminis¬ 
trators.  “Tablus  sends  out  agents  across  the 
network,  so  they  were  afraid  we’d  clobber 
it,”  he  says.  “I’d  advise  people  to  involve 
the  network  people  up  front  so  they  can 
dissolve  those  concerns  up  front.”  He  says 
Tablus  controls  the  movement  of  agents  in 
a  way  that  protects  the  network. 

DO  figure  out  what  you’re  trying  to  pro¬ 
tect.  Jon  Oltsik,  senior  analyst  at  Enterprise 
Strategy  Group,  says,  “It’s  important  to 
start  with  some  sort  of  requirement,  some 
question  you  want  answered.”  For  instance, 
are  you  looking  for  access  control  viola¬ 
tions,  accidental  data  exposure  issues  or 
to  reinforce  policies?  Are  you  mainly  con¬ 
cerned  with  protecting  private  data,  such 
as  personally  identifiable  data,  in  order  to 
comply  with  government  regulations,  or 


do  you  need  to  protect  intellectual  property 
that,  if  exposed,  could  damage  your  com¬ 
petitive  advantage? 

DO  pilot  DLP  tools  in  your  own  environ¬ 
ment  before  deciding  which  ones  will  work 
best  for  you,  Oltsik  says.  “Everyone  talks 
about  how  their  detection  is  better  than 
others,  but  there’s  no  way  to  tell  which  one 
works  better  without  running  a  few  prod¬ 
ucts  side  by  side  it  in  your  environment,  on 
your  data,  with  a  couple  of  your  rules.”  See 
which  ones  come  up  with  the  most  alerts 
and  which  have  the  most  false  positives  and 
negatives.  “If  you  don’t,  you’re  really  taking 
a  risk,  no  matter  how  good  the  canned  pre¬ 
sentation  is,”  Oltsik  says. 

DON’T  buy  a  DLP  product  to  guard 
against  malicious  activity  such  as  data  theft. 
According  to  Gartner,  the  tools  are  actually 
better  at  helping  companies  identify  bad 
security  practices  and  accidental  data  leak¬ 
age.  As  the  technology  evolves  toward  com¬ 
bination  host-  and  network-based  products, 
it  will  deal  more  directly  with  the  problem 
of  malicious  attacks,  Gartner  says.  But  cur¬ 
rent  systems  will  stop  only  the  most  basic  of 
criminal  activities. 

For  instance,  network  capabilities  alone 
can’t  detect  sensitive  data  that  doesn’t  pass 
through  one  of  the  DLP  network  sensors, 
while  host-based  systems  can’t  detect  any¬ 
thing  on  a  nonmanaged  system,  Gartner 


FIVE  EVALUATION 
CRITERIA 

Thoughts  on  Gartner’s 
considerations  for  nar¬ 
rowing  down  your  list: 

Channels.  How  many 
protocols  does  the  prod¬ 
uct  cover,  and  is  it  capable 
of  decoding  the  protocol? 
The  market  is  rapidly  mov- 
ingtoward  multiple-proto- 
col  decoders,  Gartner  says. 

Blocking.  Not  all  prod¬ 
ucts  perform  blocking, 
and  some  block  only  on 
certain  channels,  though 
Gartner  sees  the  market 
moving  toward  products 


that  will  block  all  channels. 

E-mail.  Most  prod¬ 
ucts  block  e-mail  first 
and  enable  quarantin¬ 
ing,  rerouting,  blocking, 
encryption  and  other 
more  complex  handling 
rules,  Gartner  says.  Few 
products  today  moni¬ 
tor  internal  e-mail,  but 
some  provide  Microsoft 
Exchange  or  Lotus  Notes 
integration.  Users  should 
be  cautious  of  products 
that  monitor  e-mail  pas¬ 
sively  or  block  SMTP  traffic 
by  resetting  TCP  connec¬ 
tions,  which  provides  no 
feedback  to  the  sender 


and  can  cause  perfor¬ 
mance  issues,  according 
toGartner. 

Detection  tech¬ 
niques.  Options  include 
rule-based  detection, 
documentfingerprint¬ 
ing,  database  matching 
and  statistical  analysis.  “If 
you’re  looking  for  things 
like  Social  Security 
numbers,  that’s  not  a 
hard  thing  to  do,  but 
when  you  start  asking 
for  other  kinds  of  data, 
it  gets  harder,”  says  Jon 
Oltsik,  senior  analyst  at 
Enterprise  Strategy  Group. 
“Some  products  have 


more  kinds  of  classifica¬ 
tions  than  others— finan¬ 
cial  data,  credit  card  data 
or  whether  people  have 
hacking  scripts  on  their 
desktop.” 

Data-at-rest  content 
discovery  capabilities. 

Some  products  automate 
the  discovery  of  where 
sensitive  data  resides. 
Oltsik  says,  “Data  travels 
from  person  to  person, 
gets  attached  toe-mails, 
is  downloaded  in  flat  files 
and  put  in  spreadsheets  or 
databases.  Understanding 
where  your  data  is  [is]  an 
important  first  step.”  -M.B. 


14  www.csoonline.com  October  2007 


points  out.  “They’ll  stop  the  ill-informed, 
dumber  bad  guys,  but  not  the  ones  who 
know  the  tools  are  in  place,”  Mogull  says. 

DON’T  get  confused  between  USB 
blockers  and  DLP  products  that— through 
end  point  agents— enable  you  to  prevent 
sensitive  data  from  being  copied  onto  USB 
devices.  The  original  USB  blockers  lack 
content  awareness,  according  to  Gartner; 
that  is,  they  block  copying  altogether,  not 
just  the  copying  of  particular  data.  On  the 
other  hand,  companies  such  as  Centennial, 
Verdasys  and  Safend  all  offer  products  that 
make  content-based  decisions.  For  instance, 
they’ll  prohibit  copying  of  files  from  certain 
servers,  certain  file  types  or  files  containing 
Social  Security  numbers. 

DON’T  rush  into  blocking.  More  prod¬ 
ucts  are  emerging  that  can  block  users  from 
performing  certain  actions  on  sensitive 
data,  such  as  copying,  printing  or  e-mail¬ 
ing.  However,  users  like  Randy  Barr,  chief 
security  officer  at  Web  Ex  Communications, 
would  prefer  to  be  notified  when  users  do 
something  that’s  against  security  policy 
rather  than  stop  them  outright.  That’s 
because,  when  he  deployed  a  network- 
based  tool  from  Reconnex  two  years  ago, 
he  found  that  80  percent  of  the  violations 
occurred  because  employees  were  unaware 
of  regulatory  rules  or  company  policy. 

For  instance,  some  employees  were  e- 
mailing  files  with  sensitive  data  over  the 
Web  to  their  home  computers  when  they 
wanted  to  work  from  home.  And  in  one 
case,  a  vacationing  employee  revealed  his 
user  ID  and  password  to  a  coworker  over 
an  instant  messaging  session  so  that  the 
coworker  could  get  some  needed  informa¬ 
tion  on  his  personal  drive.  “It  helps  us  iden¬ 
tify  violations  so  we  can  go  in  and  do  some 
quick  awareness  training,”  Barr  says. 

Barr  is  also  concerned  that  blocking 
would  hinder  some  employees  from  per¬ 
forming  essential  job  tasks.  “I  don’t  want  to 
hinder  them— I  want  to  audit  what  they’re 
doing,”  he  says.  “I  wanted  a  tool  that  would 
provide  awareness  to  employees  and  also 
log  an  alert  to  me.” 

Besides,  he  says,  blocking  may  actu¬ 
ally  encourage  someone  intent  on  criminal 
activity  to  find  other  means  to  transport 
data.  “If  they’re  really  malicious,  they 
may  find  other  ways  to  take  the  data,  like 


Gartner’s 

Vendor 

List 

Gartner  lists  these  DLP 
purveyors  in  its  Magic 
Quadrant  (which  excludes 
host-based  systems): 


in 

Vontu 

www.vontu.com 

sc 

w 

D 

< 

Ul 

Websense 

www.websense.com 

Vericept 

www.vericept.com 

I/I 

UJ 

Reconnex 

w  ww.reconnex.net 

sc 

< 

z 

o 

Tablus 

www.tablus.com 

> 

Code  Green  Networks 

www.codegreennetworks.com 

in 

cc 

111 

Proofpoint 

www.proofpoint.com 

5 

Ul 

a 

Ul 

Palisade  Systems 

www.palisadesys.com 

u 

z 

Fidelis  Security  Systems 

www.fidelissecurity.com 

’■'Other  players,  depending  on  the 
definition  of  the  category,  include 
Centennial,  Oakley  Networks, 
Orchestria,  Safend  and  Verdasys, 
among  others.  Industry  watchers 
such  as  Jon  Oltsik,  senior  analyst  at 
Enterprise  Strategy  Group,  expect 
consolidation,  and  recent  purchases 
of  IronPort  by  Cisco  and  Tablus  by 
EMC  indicate  that  bigger  companies 
are  starting  to  dive  in. 


storing  it  on  an  iPhone,  an  iPod  or  a  USB,” 
he  says.  He  has  looked  into  tools  that  block 
copying  data  to  external  drives,  but  for  now, 
he’d  rather  be  alerted  and  have  the  tool  tell 
the  user  it’s  against  policy. 

“Understanding  network  activity  is  the 
first  step  to  knowing  what  to  do  to  improve 
your  overall  security  program,”  he  says. 
“Going  in  blind  and  installing  prevention 
at  the  desktop  won’t  give  you  the  visibility 
you  want.” 

D  O  inform  your  employees  they’re  being 
monitored.  Not  only  does  this  let  employ¬ 
ees  know  what  you’re  capable  of  doing,  but 
it  also  teaches  them  what  they  need  to  do 
to  protect  sensitive  data.  After  deploying  a 


tool  from  Vericept,  Sharon  Finney,  infor¬ 
mation  security  administrator  at  DeKalb 
Medical  Center  in  DeKalb  County,  Ga.,  says 
the  healthcare  organization  disclosed  to 
employees  that  it  fully  monitors  every  piece 
of  data  that  crosses  the  network,  internally 
and  externally,  even  requiring  employees  to 
sign  a  form  saying  they  understand  this. 

DO  make  sure  the  tool  has  built-in  capa¬ 
bilities  to  detect  what  is  most  important  to 
you.  When  Finney  went  looking  for  a  DLP 
tool  four  years  ago,  the  main  motivation 
was  compliance  with  HIPAA,  as  well  as 
monitoring  employee  Web  use.  “We  allow 
some  limited  personal  use  of  the  Web,  so  we 
assumed  a  certain  amount  of  risk  in  terms 
of  what  people  posted  to  external  Web  sites 
or  attached  in  their  e-mail,”  she  says.  That’s 
why  Finney  chose  a  tool  that  could  monitor 
Web  use  and  had  built-in  HIPAA  rules. 

DO  consider  data  at  rest.  The  main  rea¬ 
son  that  Mackelprang  decided  to  deploy 
Tablus  was  not  to  see  sensitive  data  flowing 
over  the  network  or  outside  the  enterprise 
but  what  was  sitting  on  people’s  desk¬ 
tops.  “Such  a  large  percent  of  data  that  gets 
exposed  is  on  stolen  laptops,  when  people 
didn’t  even  know  the  data  was  on  there,”  he 
says.  “It’s  bad  processes,  not  ill  intent.” 

DO  find  a  tool  with  lots  of  flexibility  in 
terms  of  data  handling.  At  DeKalb,  Finney 
plans  to  start  using  the  blocking  capa¬ 
bilities  of  the  Verdasys  tool,  but  she  also 
wants  to  use  its  self-compliance  feature. 
When  the  tool  flags  sensitive  data,  it  gives 
users  options  on  actions  they  can  take,  like 
encrypting  the  data.  “Some  people  think 
blocking  is  disruptive,  but  we  allow  users 
the  ability  to  do  what  they  think  needs  to  be 
done  with  the  information.” 

Mackelprang  is  also  happy  with  the  fact 
that  Tablus  allows  him  to  quarantine  data, 
encrypt  it,  quarantine  and  encrypt  it  or  just 
alert  him  of  a  breach.  “If  you’re  just  starting 
out,  you  might  want  it  to  just  alert  you  for 
a  while  until  you  educate  users  to  change 
their  process,  and  then  later,  after  they’re 
sensitized,  if  there’s  a  clear  violation,  you 
can  crack  down,”  he  says.  “It  allows  the  tool 
to  grow  with  maturity.”  ■ 


Mary  Bran  del  is  a  freelance  writer.  Send feed¬ 
back  to  csoletters@cxo.com. 


October  2007  www.csoonline.com  15 


CISSP 


You  just  hired  an  (ISC)2  infosecurity 
pro  who’s  not  only  going  to  make  your 

day,  but  your  career. 


It’s  easy  to  kick  back  when  you’ve  got  the  world’s  best  information  security  employees  at  your 
command.  (ISC)2  credentials  are  the  Gold  Standard  of  the  industry.  When  you  see  (ISC)2 
or  our  globally  recognized  certifications  on  a  resume,  you  can  be  sure  that  you’re  getting  a 
professional  who  continually  updates  his  knowledge  to  keep  ahead  of  new  threats  to  your 
organization  and  most  importantly  has  solutions!  So  you  man  the  desk,  we’ll  get  the  job  done. 


For  more  information  on  (ISC)2’s  credential  and  educational  offerings, 
please  visit  www.isc2.org/certify. 


CISSP 


ISO/IEC  17024  ’’WpnofW 


»nd  4 

% 


o 

* 


Sls,o^ 


•o 


•? 

o 


ISO/IEC  17024 


How  train  nuts  are  keeping  America 's  railways  safe  page  25 


Edited  by  Daintry  Duffy 


retirm  o< 
sO®llW0R 


£ 


Ransomware  is  nothing  more  than  a 
virtual  stick-’ ’em-up.  You  download 
malware,  which  encrypts  files  on  your 
computer.  Then  the  malware  delivers 
an  extortion  message:  Pay  us  cash  and  we’ll 
give  you  access  to  your  files  again.  The  tech¬ 
nique  gained  a  moment  of  notoriety  in  2006 
when  one  such  attack  managed  to  make  the 
news.  This  past  summer  ransomware  returned. 
This  time,  the  criminals  have  added  a  strong 
dose  of  social  engineering  to  the  attack. 

The  actual  Trojan  that  encrypts  files  and 
delivers  the  ransom  note  is  dubbed  GPCode, 
or  alternatively,  Sinowal.  It  demands  $300 
in  exchange  for  the  key  to  decrypt  your  files. 
Failure  to  pay  will  result  in  the  files  being 
published  on  the  Internet,  according  to  the 
threatening  note.  What's  more,  the  note  says, 
the  files  have  been  encrypted  using  an  algo¬ 
rithm  called  R5A-4096,  and  it  includes  a  link  to 


an  article  about  the  technology  that  notes  that 
RSA-4096  is  virtually  unbreakable. 

But,  according  to  security  researchers,  it’s 
all  a  bluff,  the  virtual  equivalent  of  jabbing 
your  finger  through  your  jacket  pocket  and 
claiming  you  have  a  gun.  GPCode  does  not 
actually  take  any  files  to  publish  on  the  Inter¬ 
net,  and  the  encryption  it  uses  is  relatively 
easily  cracked  by  professionals. 

The  goal  of  the  bluff  is  to  terrify  some-  ari 

one  with  the  prospect  of  being  unable  to  ' 

access  critical  files.  The  rela- 
tively  low  amount  of  cash  the  J, 
extortionists  demand  is  further 
meant  to  facilitate  the  transac¬ 
tion,  creating  in  the  victim’s  mind 
an  easy  trade-off;  it  seems  like  a 
pittance  next  to  a  ruined  career. 

The  newfound  ability  of  hackers  to  create 
mass  distribution  of  their  malware  through 


spam  and  iFrames  allows  them  to  ask  for  less 
money  from  more  victims,  increasing  the 
likelihood  that  any  one  victim  will  pay. 

Experts  suggest  you  never  capitulate, 
especially  before  analyzing  the  situation 
with  a  team  that  includes  security  research¬ 
ers,  encryption  experts  and  perhaps  security 
experts  skilled  in  negotiation  and  extortion 
threats.  And  don’t  buy  into  the  hype  of  a  few 
sensational  news  reports.  Experts  believe 
that  ransomware,  while  a  real  threat,  is  but 
one  tree  in  the  forest  of  risk  and  probably 
gets  more  press  than  it  warrants  because  it 
makes  for  good  reading.  “What  should  warrant 
attention  is  a  new  development,  something 
widespread,  or  something  causing  severe 
M  devastation,”  says  security 
researcher  jose  Nazario.  Ran¬ 
somware,  he  notes,  is  O-for-3  on 
R-MM-  those  criteria. 

GPCode  has  already  come 
and  gone.  Another  ransomware 
attack  will  probably  come  along.  Remember,  it’s 
probably  just  the  guy’s  finger  jabbing  into  your 
back.  -Scott  Berinato 


WHAT  TO  DO  IF 
YOU’RE  HIT  WITH 
RANSOMWARE 

1.  Don’t  panic.  It’s 
natural  to  freak  out 
when  important  files  go 
missing,  especially  when 
someone  isclaimingto 
have  the  power  to  pub¬ 
lish  them  on  the  Internet. 
Don’t  panic.  Lead. 


2.  Don’t  pay.  Pay¬ 
ing  extortion  fees  only 
invites  more  extortion. 
Payment  should  be  a 
final,  desperate  option 
and  only  when  negotia¬ 
tion  experts  say  it’s  your 
best  option. 

3.  Assemble  a  team. 
Include  encryption 
experts  who  might  be 
able  to  unlock  the  files, 


security  researchers 
who  can  look  for  the 
source  of  the  attack  and 
troll  for  intelligence,  and 
someone  skilled  in  nego¬ 
tiation  if  the  situation 
becomes  more  serious 
or  the  attackers  try  to 
establish  contact. 

4.  Create  awareness. 
One  of  your  biggest 
threats  in  this  situation 


is  an  emotional  user  who 
thinks  his  career  and/or 
life  can  be  ruined  by  this 
development.  Make  sure 
users  don’t  act  on  their 
own  behalf,  and  create 
an  environment  to  help 
them  contain  what  is 
sure  to  be  an  emotional 
response  to  the  ransom¬ 
ware  attack. 

-S.B. 


Illustration  by  iStockphoto 


October  2007  www.csoonline.com  17 


>>  BRIEFING 


SUPPLY  CHAIN 

TAINTED  CARGO 

If  you  are  part  of  the  global  economy, 
it’s  essential  that  you  monitor  your 
overseas  suppliers  and  partners 

THE  GOVERNMENT  warnings  about  tainted  imports  from 
China  are  ominous:  poisonous  chemicals  found  in  toothpaste  in 
July.  Lead  paint  in  Thomas  the  Tank  Engine  toy  trains  in  June. 
Contaminated  pet  foods  in  May. 

While  government  attention  focuses  on  the  problems  in 
China,  experts  say  the  emergence  of  these  deficient  goods  high¬ 
lights  the  risks  associated  with  today’s  global  supply  chains. 

“There  are  more  people  that  companies  need  to  watch  and 
make  sure  they  trust,”  says  Yossi  Sheffi,  professor  of  engineer¬ 
ing  at  MIT  and  an  expert  in  risk  analysis  and  supply  chain 
management.  Supplier  visibility  is  a  problem  for  many  orga¬ 
nizations,  agrees  Mark  Hillman,  a  research  director  at  AMR 
Research.  He  says  many  companies  operating  globally  don’t 
know  the  players  in  their  supply  chain  as  well  as  they  should. 

Below  are  Sheffi  and  Hillman’s  tips  for  managing  your  sup¬ 
ply  chain  risks  through  security,  resilience  and  vigilance. 

1.  FOCUS  ON  VISIBILITY  INSIDE  YOUR  SUPPLY  CHAIN. 
Sheffi  says  you  should  be  able  to  answer  the  following  question: 

“Where’s  my  stuff,  what  ship  or  truck  is  it  on  and  what  can  I  do 
to  redirect  it  in  case  something  goes  wrong?”  Companies  need 
to  watch  their  products  all  the  way  to  the  shelf.  In  many  cases, 
counterfeit  goods  are  introduced  into  the  supply  chain  along 
the  way,  says  Sheffi. 

2.  KEEP  AN  EYE  OUT  FOR  PROBLEMS.  Your  company  is 
responsible  for  staying  abreast  of  what’s  going  on  at  supplier 
companies  around  the  world.  Control  Risks  Group  and  iJET 
are  examples  of  service  providers  that  monitor  international 
economic  and  political  conditions  as  well  as  natural  disasters. 
Risk  managers  use  them  to  keep  tabs  on  working  conditions  for 
far-flung  employees  and  business  partners  overseas. 

3.  KNOW  WHAT  YOU’RE  GETTING  INTO.  Once  you  sign 
the  contract,  it’s  hard  to  verify  that  your  supplier  is  meeting 
the  same  standards  that  it  sold  you  on,  says  Hillman.  Regular 
visits  to  suppliers  and  constant  monitoring  is  ideal,  but  moni¬ 
toring  tools,  such  as  Dun  &  Bradstreet’s  Open  Ratings  service, 
can  also  help  companies  identify  potential  problems,  such  as 
changes  to  a  supplier’s  quality  score  or  payment  terms. 

4.  COLLABORATE  WITH  OTHER  COMPANIES.  In  many 
industries,  your  supplier  is  also  your  competitor’s  supplier. 
Work  with  others  in  your  industry  to  audit  suppliers  and  share 
the  results,  says  Sheffi.  -Katherine  Walsh 


SECURITY  FUNDING 

Competing  for  Coin 

DHS  continues  to  improve  its  grant  program 

The  Department  of  Homeland  Security  has  never  been  good 
at  making  friends  through  its  grant  program.  In  fact,  the 
Homeland  Security  Grant  Program  (HSGP)  and  its  allocation 
process  have  been  a  point  of  controversy  for  years,  perhaps 
most  notably  in  2006,  when  Washington,  D.C.,  and  New  York  City 
received  what  many  thought  to  be  inadequate  funding. 

In  July,  DHS  released  the  FY07  grant  program,  which  experts 
say  is  improved  from  previous  years.  The  Urban  Areas  Security 
Initiative  (UASI),  the  grant  program  of  greatest  significance  to  the 
states,  focuses  on  the  needs  of  high-threat,  high-density  urban 
areas.  UASI  allocated  $747  million  to  45  urban  areas  this  year.  The 
areas  receiving  the  most  money  include  New  York  City,  Los  Angeles/ 
Long  Beach  and  Washington,  D.C. 

Chris  Dixon,  manager  for  state  and  local  industry  analysis  at 
INPUT,  a  public  sector  market  intelligence  firm,  says  the  process 
for  determining  a  region’s  grant  allocation  is  part  formula  and  part 
competition.  The  formula  is  risk-based  and  accounts  for  two-thirds 
of  the  total  score.  The  competitive  aspect  is  a  peer  review  process, 
which  accounts  for  the  remaining  one-third  of  the  score.  That  score 
ultimately  determines  how  much  money  a  specific  area  gets. 

DHS’s  risk  analysis  methodology  considers  characteristics  that 
might  contribute  to  urban-area  risk,  such  as  population,  presence 
of  national  critical  infrastructure,  military  facilities  and  border 
crossing,  says  Shawn  Reese,  a  Homeland  Security  analyst  at  the 
Congressional  Research  Service. 

The  peer  review  process,  which  began  in  2006,  requires  urban 
areas  to  submit  an  Investment  Justification,  a  document  outlining 
how  specific  security  projects  will  support  National  Preparedness 

Guidelines.  Reviewers 
then  evaluate  each 
application  based  on 
six  categories,  includ¬ 
ing  strategy,  funding 
plan  and  investment 
challenges.  New  in 
2007  is  the  ability  of 
applicants  to  submit  an 
Investment  Justifica¬ 
tion  draft  for  early 
review  by  DHS. 

Reese,  who  has 
been  following  the 
Homeland  Security 
Grant  Program  since 
FY02,  says  additions  like  the  peer  review  process  and  draft  applica¬ 
tions  are  evidence  that  DHS  is  gradually  adding  efficiencies  to  the 
program.  “Before,  [DHS]  didn’t  provide  a  lot  of  information  on  what 
they  chose  or  how  they  chose,”  he  says. 

Reese  expects  the  improvements  to  continue.  Although  UASI 
is  strictly  at  the  discretion  of  DHS  Secretary  Michael  Chertoff, 
Congress  has  been  vocal  about  identifying  additional  risk  factors 
that  DHS  should  consider.  Still,  “it’s  really  up  to  DHS  to  determine 
how  they  do  it,  but  every  cycle,  they  are  becoming  more  transpar¬ 
ent."  -Katherine  Walsh 


1  TOP  10  GRANT  RECIPIENTS 

New  York  City 

$134,090,000 

Los  Angeles/Long  Beach 

72, 580,000 

Washington  D.C. 

61,650,000 

Chicago 

47,280,000 

Northern  New  Jersey 

36,070,000 

San  Francisco/Bay  Area 

34,130,000 

Houston 

25,000,000 

Dallas/Fort 

20,950,000 

Worth/Arlington 

Philadelphia 

18,700,000 

San  Diego 

15,990,000 

18  www.csoonline.com  October  2007 


Photo  by  AP/World  Wide  Photos 


.-raM 

THROW  THE 
FIRST  PUNCH. 

Successful  companies  don’t  flinch.  They  confidently  assert  their  presence  in 
the  marketplace  and  refuse  to  let  fear  paralyze  their  ambition.  From  consulting 
to  systems  integration  to  outsourcing,  Unisys  Solutions  for  Secure  Business 
Operations  enable  you  to  be  more  innovative,  more  competitive  and  as  bold 
as  you  want  to  be.  Let  the  competition  block  for  a  change. 


Security  unleashed. 


’007  Unisys  Corporation.  Unisys  is  a  registered  trademark  of  Unisys  Corporation. 


UNISYS 


Secure  Business  Operations,  imagine  it 


www.securityunleashed.com 


>>  BRIEFING 


HOW  TO  SPAMPROOF 
YOUR  INBOX 


Spammers  make  a  lot  of  money.  A  lot  as  in  six  figures  a  year.  What 
this  means,  according  to  Andrew  Graydon,  CTO  of  BorderWare 
Technologies,  a  company  that  has  been  fighting  spam  and  other 
Web-based  security  issues  for  13  years,  is  that  we’ll  never  stop 
it.  Despite  better  filtering  technologies,  spam  still  costs  businesses 
big  bucks.  In  a  survey  released  earlier  this  year,  Nucleus  Research,  a 
Wellesley,  Mass.-based  firm,  reported  that  U.S.  companies  are  losing 
$71  billion  annually  to  lost  productivity  caused  by  spam. 

However,  there  is  hope.  By  following  the  practical  advice  below, 
Graydon  promises,  users  can  dramatically  reduce  the  amount 
of  spam  they  have  to  wade  through  at  work. 

Don’t  click  on  it.  As  soon  as  you  respond  to  a 
spam  message,  the  spammers  know  you’re  there,  and 
they  will  pass  your  name  around  to  their  friends.  Don’t 
engage  them. 

Use  your  work  e-mail  address  ONLY  for 
work.  Online,  it’s  best  to  keep  your  work  life  and  your 
personal  life  separate.  Having  a  personal  e-mail  account  will  protect 
your  work  e-mail  from  more  unsolicited  messages.  In  fact,  Graydon 
suggests  having  two  personal  accounts.  Use  one,  such  as  Hotmail,  for 
purchases  and  a  second  account,  like  Gmail,  for  personal  correspon¬ 
dence  from  family  and  friends.  That  way,  you  decide  when  you  want 
to  go  into  those  accounts.  You  can  search  for  the  information  you 
need  and  ignore  the  rest.  And  be  sure  to  use  a  personal  account  when 


you  sign  up  for  anything  online. 

Never  unsubscribe  or  buy  anything  from  an 
e-mail  solicitation.  As  soon  as  you  take  action,  the  spammers 
know  you’re  there,  even  if  that  action  is  unsubscribing  to  an  e-mail. 
The  same  goes  doubly,  of  course,  when  actually  purchasing  some¬ 
thing  from  an  e-mail  solicitation.  Don’t  do  it.  They’ll  know  you’re 
there,  and  they’ll  tell  their  friends  (read:  other  spammers)  about  you. 

Change  the  format  of  your  e-mail  address.  Unfor¬ 
tunately,  it’s  easy  to  find  you.  And  spammers  are  persistent.  They’ll 
search  for  your  name  on  your  company  website,  and  they 
will  guess  at  your  e-mail  address  until  they  get  it  right. 
However,  if  you  include  a  middle  initial  or  middle  name 
in  your  e-mail  address,  they  are  less  likely  to  be  able  to 
track  that  information  down.  Request  a  middle  initial 
for  your  work  e-mail,  and  use  one  in  your  personal  mail 
when  you  sign  up  for  an  account. 

E-mafl  in  disguise,  when  you  use  Hotmail  or  Gmail, 
don’t  use  your  real  name.  Your  friends  or  the  websites  you’re 
buying  from  won’t  care  what  name  you  go  by.  I  have  a  friend  who  uses 
Sportichick.  It’s  not  professional,  certainly,  but  her  friends  remember 
it,  and  the  websites  she  makes  purchases  from  don’t  seem  to  mind. 
And  when  you  come  up  with  your  own  personal  name  tag,  keep  it 
gender  neutral  to  ward  off  potential  online  predators. 

-Kathleen  S.  Carr 


20  www.csoonline.com  October  2007 


Photo  by  iStockphoto 


C-hfy- 

wm 


Visit  www. 


What  can 


do  for  you? 


security 


ionals 


•  Develop  your  leadership 
abilities  and  earn 
credentials. 


•  Enhance  your  skills 
and  knowledge. 


•  Unlock  Doors  to  new 

career  and  business 
opportunities. 


•  Stay  on  Top  of  current 
events  and  emerging  trends. 


•  Strengthen  your 
personal  network. 


Unleash 
the  Power  of 


>>  BRIEFING 


Q&A 

Terror  Tracker 

How  a  mother  of  three  became 
an  FBI  intelligence  asset 

n  September  11, 2001,  Shannen 
Rossmiller,  a  30-year-old  mother  of 
three  and  then  a  municipal  court  judge, 
slipped  and  fell  in  her  rural  Montana 
home.  Being  laid  up  for  over  two  months  was 
bad  luck  for  her  but  astonishingly  good  luck  for 
U.S.  intelligence  agencies.  Absorbed  by  news 
reports  and  footage  of  9/11,  Rossmiller  spent 
her  convalescence  reading  about  the  Islamic 
world,  its  culture  and  language.  Unbeknownst 
to  family  and  friends,  she  started  frequenting 
chat  rooms  where  terrorists  and  terrorist-sym¬ 
pathizers  talk  jihad.  Since  2001,  Rossmiller 
has  used  her  growing  knowledge  of  Arabic  and 
understanding  of  the  legal  system  to  build  and 
present  cases  to  the  FBI  on  at  least  60  terror 
suspects,  including  National  Guard  Special¬ 
ist  Ryan  Andersen,  who  was  arrested  and 
court-martialed  after  trying  to  make  al-Qaeda 
connections  in  an  Arabic  Internet  forum,  and 
Michael  Curtis  Reynolds,  another  American 


accused  of  trying  to  blow  up  oil  and  gas  pipe¬ 
lines.  Now  officially  classified  as  an  intelligence 
asset  by  the  bureau,  Rossmiller  spoke  to  CSO’s 
Daintry  Duffy  about  the  challenges  of  her  work, 
what  it  will  take  for  her  to  quit  and  the  things 
that  still  surprise  her  about  the  terrorist  world. 

CSO:  How  do  you  go  about  infiltrating 
these  chat  rooms? 

Rossmiller:  I  can’t  touch  on  sources 
and  methods,  but  one  of  the  tactics  is  using 
elements  of  human  nature  to  your  advantage. 
If  an  individual  has  administrative  privileges 
within  the  Internet  forum,  one  key  is  to  gain 
their  trust  so  you  can  receive  invitations  to 
access  some  of  the  private  portions  of  those 
Internet  forums. 

what  kinds  of  online  personas  do  you  use? 

I’ve  only  got  four  active  right  now,  but  over 
the  years  I’ve  had  about  30  other  personali¬ 
ties  that  I  have  used  on  different  cases.  I  have 
some  that  are  just  lost  young  men  in  the 
Islamic  part  of  the  world  looking  for  jihad. 

I’ve  got  other  personalities  that  are  far  more 
prolific  that  take  on  the  more  dangerous 
side:  weapons,  getting  involved  with  the  jihad 
preparation  encyclopedia. 


A  recurring  theme  this  election  season  will 
be  whether  we  are  safer  now  than  pre-9/11. 
From  your  unique  vantage  point,  what  are 
your  thoughts? 

I  believe  that  in  a  lot  of  ways  we  are  safer.  But 
our  Achilles’  heel  in  this  country  is  our  ability 
to  forget.  Time  goes  by,  and  we  get  desensi¬ 
tized  and  disassociated  from  things.  9/11  is  just 
far  enough  in  the  past  that  people  forget  the 
importance  of  that  day  and  how  it’s  impacted 
our  world.  Until  we  recognize  that  [terrorism] 
isn’t  going  to  go  away  quickly,  the  element  of 
surprise  will  continue  to  bite  us  from  behind. 

A  lot  of  people  have  moved  on  from  9/11;  I  just 
can’t  seem  to.  It  seems  like  a  wrong  that  never 
has  a  remedy. 

Have  you  thought  about  quitting? 

I  think  about  it  a  lot,  especially  after  a  big 
case.  It  takes  a  lot  out  of  you  physically  and 
emotionally,  and  you  wonder  if  it’s  worth  it. 

I  think  when  the  time  comes  that  there  are 
people  doing  what  l  do  on  a  regular  and  for¬ 
mal  basis,  I  will  have  an  easier  time  stepping 
back.  But  I  don’t  feel  that  time  is  here  yet. 

Do  you  feel  the  FBI  is  making  inroads? 

Absolutely.  When  I  first  encountered  people 
at  the  FBI,  they  didn’t  even  have  local  Internet 
access.  They  had  to  go  to  the  public  library, 
and  for  that  they  had  to  have  permission.  I 
was  shocked.  This  was  in  2003!  So  if  you  look 
at  where  things  are  now,  where  they  were  and 
how  far  we  need  to  go,  we’re  on  a  good  track. 
It’s  going  to  take  some  time  for  the  govern¬ 
ment  side  and  all  the  bureaucratic  disadvan¬ 
tages  that  it  brings  to  get  sorted  out  and  run 
smoothly.  Flowever,  I  do  feel  that  they  are 
coming  together. 

What  still  surprises  you  about  the  terror¬ 
ist  and  terrorist-wannabe  subculture? 

There’s  this  whole  other  part  of  the  world  that’s 
pretty  much  the  polar  opposite  of  what  the 
West  represents,  and  it  continues  to  present 
a  fascinating  topic  for  me.  They  don’t  think 
like  we  do,  they  don’t  process  like  we  do,  their 
cultures  are  so  different.  Unless  people  [in  the 
West]  have  reason  to  know  otherwise,  they 
just  assume  that  everyone  should  adapt  to 
our  way  of  life  and  thinking,  and  I’ve  learned 
that’s  just  not  viable.  The  sooner  we  accept 
that,  the  easier  it  will  be  to  understand  these 
people,  their  countries  and  their  cultures  to  our 
advantage.  ■ 


ON  THE 
HUNT  Shannen 
Rossmiller  uses  her 
knowledge  of  Arabic 
and  the  legal  system 
to  track  and  trap 
terrorists  online  for 
the  FBI. 


22  www.csoonline.com  October  2007 


Photo  by  Steven  G.  Smith 


Register  today  at 

or  for  more  information  call  800.366.0246. 


Sponsored  by 


Presented  by 


□imprivata- 


CSC- 

BUSINESS  RISK  LEADERSHIP 


Solving  Real-World 
Security  Challenges 
in  your  own  backyard 


THE  CSO  EXECUTIVE  SEMINAR  SERIES  ON 


PCI 

Compliance 


Building  Privacy  &  Security 
into  your  Organization 


November 14. 2007 


New  York  Marriott  East  Side 
New  York ,  New  York 


I  am  fearless 


I  drive  security  strategy  for  a 
global  500  company. 

I  provide  secure  access  to  business 
resources  anytime,  anywhere. 

I  believe  security  should  connect 
people,  not  isolate  them. 

I  am  fearless.” 


*** 

Secure  anytime,  anywhere  access.  When  it  comes  to  security,  most  businesses  understand  what  it  means 
to  fail.  But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions 
can  move  your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of 
the  Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/glide  The  Security  Division  of  EMC 

Secure  Anytime  Protect  Secure  Manage  Compliance 

Anywhere  Access  Customer  Identities  Enterprise  Data  and  Security  Information 

- A - : - 


©2007  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


TRANSIT  SECURITY 

FOAMERSTO 
THE  RESCUE 

How  train  nuts  are  keeping 
America’s  railways  safe 

Ken  Fitzgerald  is  pretty  sure 
that  he  prevented  a  major 
train  derailment  in  the  sum¬ 
mer  of  2002.  Fitzgerald  was 
stopped  at  a  railway  cross¬ 
ing  in  Fort  Worth,  Texas,  when  he  noticed 
a  piece  of  rail  sticking  out  of  the  track  about 
too  feet  from  where  he  was  standing.  Know¬ 
ing  that  the  next  locomotive  to  hit  this  spot 
would  almost  certainly  derail,  Fitzgerald 
notified  the  line’s  operator,  the  Fort  Worth 
&  Western  Railroad,  which  stopped  the 
oncoming  train. 


A  railroad  worker  walks  past  one  of  two  Union 
Pacific  locomotives  that  were  involved  in  a 
predawn  derailment  on  May  16, 2007,  near 
Dupont,  Wash. 


Fitzgerald  is  what  they  call  a  “foamer” 
in  railway  circles— a  railway  enthusiast 
who  just  about  foams  at  the  mouth  at  the 
sight  of  a  train.  He  spends  several  hours  per 
week  watching  and  photographing  trains 
going  by.  And  now  thanks  to  an  innovative 
program  launched  by  Fort  Worth’s  Burl¬ 
ington  Northern  Santa  Fe  Railway  (BNSF), 
he’s  a  part  of  the  effort  to  secure  America’s 
railways. 

BNSF  has  recruited  more  than  6,500 
foamers  like  Fitzgerald  to  keep  an  eye  on 
its  32,000  miles  of  railway  track,  most  of 
it  in  the  southwestern  United  States.  The 

Photo  by  AP/World  Wide  Photos 


>>  BRIEFING 


program,  called  Citizens  for  Rail  Security, 
has  helped  tip  off  BNSF  to  theft  and  ille¬ 
gal  dumping,  trespassers,  fires  and  train 
equipment  problems. 

Citizens  for  Rail  Security  is  modeled  on 
Neighborhood  Watch  community  policing 
programs,  and  it’s  reflective  of  a  general 
heightened  level  of  security  awareness 
since  September  11,  2001,  said  Bill  Heile- 
man,  general  director  of  police  and  protec¬ 
tion  solutions  with  BNSF. 

Ironically,  foamers  like  Fitzgerald  have 
come  under  increased  scrutiny  since  9/11, 
because  police  are  now  taking  a  second  look 
at  anyone  hanging  around  a  railway  track 
with  a  camera.  But  Heileman  believes  that 
Citizens  for  Rail  Security  has  made  BNSF 
safer.  “The  foundation  for  security  starts 
with  awareness,”  he  said.  “Nothing  is  bet¬ 
ter  than  good  solid  intelligence.” 

Because  most  of  the  public  discussion 
of  transportation  security  since  9/11  has 
focused  on  the  airways,  bridges  and  ports, 
people  like  Heileman  are 
facing  a  daunting  task. 
Trains  carry  millions  of 
people  each  day;  they  move 
hazardous  waste,  often 
through  densely  populated 
city  centers  and— most 
problematic  of  all— they 
crisscross  the  country  on 
hundreds  of  thousands  of 
miles  of  track  that  is  impos¬ 
sible  to  completely  protect. 

You  can’t  take  a  bottle 
of  water  through  airport 
security,  but  head  out  to  the  local  railway 
tracks,  and  you  can  pretty  much  do  as  you 
please.  “The  way  we  protect  the  airports 
is  quite  stringent,  and  yet  the  way  we  deal 
with  trespassers  on  railway  property  is 
really  kind  of  lukewarm,”  says  Richard 
Young,  a  professor  with  Pennsylvania  State 
University’s  school  of  business  administra¬ 
tion.  “We  don’t  coordinate  security  around 
rail  infrastructure  anything  like  that.” 

Young  is  the  coauthor  of  a  recent  report 
on  the  state  of  railway  security  that  recom¬ 
mended  that  Congress  and  the  Transpor¬ 
tation  Security  Administration  pay  closer 
attention  to  rail  security,  citing  the  train 
bombings  in  2004  in  Madrid  and  2005  in 
London.  Until  that  happens,  however,  the 
railways  and  foamers  like  Ken  Fitzgerald 
will  have  to  fill  the  gap.  -Robert  McMillan 

October  2007  www.csoonline.com  25 


Fear  less.  Do  more. 

.  •  j  "il 

Secure  Anytime 
Anywhere  Access 

Today,  employees,  customers 
and  partners  need  to  connect  to 
your  business  anytime  and  from 
anywhere.  At  the  same  time  you 
need  to  be  certain  that  only  trusted 
parties  gain  access  to  your  critical 
business  resources.  With  RSA’s 
security  solutions  your  users  enjoy 
the  right  access  to  the  right  resources 
at  the  right  time,  driving  efficiency 
and  enabling  collaboration. 

RSA  can  help  your  organization: 

•  Enable  remote  employees  to  be 
productive  anytime,  anywhere 

•  Extend  secure  online  customer 
self-service  channels  to  spark 
new  business  growth 

•  Foster  collaboration  with 
partners  and  suppliers  reducing 
costs,  broadening  distribution 
channels  and  increasing  sales 


Learn  to  fear  less  and  do  more. 
Download  the 
Aberdeen  Group  report 
“Aligning  IT  to  the  Business,” 
and  other  information  at 
www.rsa.com/go/glide 


The  Security  Division  of  EMC 


©2007  RSA  Security  Inc.  All  rights  reserved.  RS/- n: 
the  RSA  logo  are  either  registered  trademarks  or  trace 
marks  of  RSA  Security  Inc.  in  the  United  States  and/c  ■ 
other  countries.  All  other  products  and  service;  ~-.j  - 
tioned  are  trademarks  of  their  respective  comparne 


The  Business 

of  Security 

Lynn  Mattice,  CSO 
of  Boston  Scientific, 
quizzes  the  man 
Fortune  magazine 
calls  “the  most 
influential  business 
consultant  alive” 
about  how  security 
executives  can  better 
serve  the  business 

WHAT  HAPPENS  WHEN  you  bring 
together  one  of  the  business  world’s  lumi¬ 
naries— Ram  Charan,  whom  Fortune  maga¬ 
zine  calls  “the  most  influential  business 
consultant  alive”— and  one  of  the  coun¬ 
try’s  top  CSOs,  Lynn  Mattice  of  Boston 
Scientific? 

Still  a  fair  amount  of  disconnect.  It 
turns  out  that  even  the  most  business  savvy 
of  CSOs  (Mattice  won  a  2007  CSO  Compass 
award  for  his  work  on  business  alignment) 
still  looks  at  things  on  a  profoundly  differ¬ 
ent  level  than  a  globe-trotting  consultant 
who  spends  most  of  his  time  with  CEOs 
and  boards  of  directors.  That  much  became 
clear  during  a  ground-breaking  teleconfer¬ 
ence  between  the  two  men,  moderated  by 
CSO  magazine’s  Sarah  D.  Scalet. 

Mattice,  for  instance,  seemed  to  take 
it  as  a  given  that  information-technol¬ 
ogy  leaders  have  made  their  way  into  the 
executive  suite,  serving  as  something  of  a 
role  model  for  security  leaders.  Charan,  on 
the  other  hand,  cited  IT  as  an  example  of 
a  function  that  needs  to  do  a  better  job  of 
rotating  its  people  into  other  business  areas, 
to  get  better  business  savvy.  Likewise,  some 


Photo  by  John  Abbott 


broad,  big-picture  initiatives  for  strategic 
CSOs— such  as  the  work  of  the  Council  on 
Competitiveness  on  business  resiliency- 
are  not  even  on  Charan’s  radar. 

Nevertheless,  the  two  men  found  plenty 
to  chew  on,  as  the  conversation  made  its 
way  from  how  boards  of  directors  view 
security  (peripherally),  to  how  CSOs  can 
evolve  (by  leaving  security  behind),  to  how 
to  implement  change  (without  just  latching 
onto  the  business  fad  of  the  day).  Below  are 
excerpts  from  the  call. 

Mattice:  One  of  the  failures  identified 
in  your  book  Execution  resulted  from  the 
inability  of  individuals  within  an  organi¬ 
zation  to  envision  where  they  needed  to  go. 
One  of  the  things  that  security  depart¬ 
ments  have  been  trying  to  do  is  evolve 
away  from  the  “corporate  cop”  image. 

What  are  the  expectations,  as  you 
see  them,  from  the  executive  suite 
on  the  corporate  security  function 
today? 

Charan:  The  most  important 
part  is  the  expectation  about  the 
reputation  of  the  company.  How 
does  lack  of  security  help  or  hurt 
the  reputation  of  the  company? 
Reputational  risk  is  very  impor¬ 
tant  to  companies  today,  so  the 
security  people,  in  addition  to 
compliance,  need  to  consider 
the  appropriate  focus  on  repu-  ] 
tation.  That  should  be  a  part  of 
the  annual  report  to  the  board 
on  risk:  how  they  are  link¬ 
ing  with  the  reputational  risk 
assessment  and  what  they  are 
doing.  Very  clear,  very  simple, 
very  direct.  That’s  the  key. 

Mattice:  We’ve  seen  other 
organizations  throughout  the 
years  evolve  and  gain  a  more 
critical  position  within  corpo¬ 
rations,  elevating  up  the  levels  of 
corporation  to  join  the  executive ; ' 
suite.  We  have  seen  this  happen 
with  IT,  with  audit,  and  in  the 
old  days  with  finance.  What  are 
your  recommendations  on  how 
security  leaders  should  change  j 
their  focus  to  be  able  to  move  up 
the  ranks? 

Charan:  Security  people  have  to 
really  master  how  the  business  makes 
money.  Move  the  security  people  in  their 


INTERVIEW 


early  careers  across  the  functions,  then 
bring  them  back.  If  you  rotate  them  into 
other  functions  and  they  succeed,  you  make 
a  broader  person,  and  that  person  has  a  real 
opportunity  to  move  up  the  ladder. 

CSO:  If  they  succeed  in  another  func¬ 
tion,  doesn’t  the  security  department  run 
the  risk  of  losing  that  person? 

Charan:  That’s  a  good  idea.  Lose  them. 
You  would  create  better  people.  It’s  a  very 
narrow  thinking  of  one  department  “los¬ 
ing”  a  person.  How  many  CFOs  have 
become  CEOs?  Let’s  really  kill  that  narrow 
thinking. 

Mattice:  Eliminate  the  stovepipes. 

Charan:  The  stovepipes,  that’s  what 
hurts.  That’s  why  people  don’t  move  out 
of  IT  and  HR— because  they  don’t  rotate 
their  people  and  think  of  the  company  as 
a  whole.  Your  CEO,  Jim  Tobin— look  at  his 
background.  He’s  a  CEO  today.  What  was 
his  background?  He  came  from  Baxter 
[International]. 

Mattice:  He  started  off  in  finance  over 
there. 

Charan:  You  got  it.  He  wouldn’t  get  the 
job  unless  he  was  broader.  He  wouldn’t  be 
making  the  moves  he  has  made  so  success¬ 
fully.  The  idea  here  is  that  to  be  able  to  bring 
your  chair  to  the  table,  you’ve  got  to  learn 
the  business.  You’ve  got  to  be  interested 
in  the  business,  as  you,  Lynn,  have  been 

THE  SUBJECTS 

Ram  Charan, 

coauthor  of  Execu¬ 
tion  and  the  author  of 
What  the  CEO  Wants 
You  to  Know,  among 
other  business  books,  has  built  a 
reputation  over  the  last  35  years 
as  one  of  the  world’s  most 
insightful  business  consultants. 

He  has  coached  some  of  the 
Fortune  500’s  most  successful 
CEOs,  including  Jack  Welch  of  GE 
and  Larry  Bossidy  of  Honeywell 
International,  and  worked 
behind  the  scenes  on  strategy  for 
companies  such  as  Bank  of 
America,  DuPont,  EMC,  Home 
Depot  and  Verizon.  Born  in  India, 


interested,  and  you’ve  got  to  have  the  rota¬ 
tion  early  in  your  career.  Companies  that  do 
not  do  this  do  not  do  as  well.  It’s  very  com¬ 
mon  at  successful  companies  like  General 
Electric,  like  Target,  like  Wal-Mart— these 
people  all  do  the  rotation.  The  CEO  of  Wal- 
Mart  used  to  be  a  logistics  person.  He  drove 
trucks. 

Mattice:  Understanding  all  of  the  ele¬ 
ments  of  the  business  so  that  you  can 
address  their  concerns  and  issues  as  they 
evolve. 

Charan:  Yes,  but  it’s  more  than  that. 
They’ve  got  to  work  in  more  than  one  func¬ 
tion,  not  only  understanding  but  absorbing 
it.  Living  with  it. 

Mattice:  I  worked  for  one  company 
where  one  of  the  requirements  was  that  at 
least  once  a  year,  everybody  from  the  corpo¬ 
rate  offices  had  to  go  out  and  spend  at  least 
a  day  on  the  factory  lines  so  that  we  didn’t 
forget  how  we  made  the  money. 

Charan:  I  think  that’s  helpful.  I’m 
thinking  something  deeper.  That  is,  you’re 
going  to  go  work  for  a  couple  years  in  other 
functions. 

CSO:  It’s  interesting  to  me  that  Lynn 
mentions  IT  as  an  example  of  a  function 
that  has  moved  up  the  ranks  to  join  the 
executive  suite,  but  Ram,  from  your  per¬ 
spective,  it  sounds  like  you  don’t  see  that 
people  are  moving  out  of  IT  into  other 

Charan  got  his  MBA  and  doctor¬ 
ate  degrees  from  Harvard 
Business  School.  He  is  known  not 
only  for  his  business  acumen  but 
also  for  his  rigorous  travel 
schedule-he  claims  that  he  does 
not  keep  a  permanent  residence 
but  spends  every  night  of  the 
year  on  the  road. 

Lynn  Mattice,  VP 

and  CSO  of  the 
medical  manufac¬ 
turer  Boston  Scien¬ 
tific,  has  worked  in 
corporate  security  for  30  years 
and  was  a  founding  member  of 
the  Security  Executive  Council. 
Before  joining  Boston  Scientific 
in  1997,  he  was  director  of 
corporate  security  at  Whirlpool. 


functions,  either.  Are  we  understanding 
correctly? 

Charan:  What  I’m  saying  is  to  move 
people  early  in  their  careers,  from  one  func¬ 
tion  to  the  other.  Every  function  needs  to  do 
this  more.  It’s  most  commonly  done  in  the 
finance  function. 

Mattice:  We’ve  created  an  organiza¬ 
tion  called  the  CSO  or  Security  Executive 
Council,  founded  by  CSO  magazine,  to  do 
research  for  the  security  profession.  What 
we’re  seeing  more  and  more  today  is  that 
people  being  put  into  security  positions  are 
coming  out  of  nontraditional  roles.  They’re 
coming  out  of  the  business  and  being 
assigned  to  run  this  business  unit  that’s 
called  security. 

CSO:  What  does  that  say  about  the  matu¬ 
rity  of  the  security  function,  if  other  execu¬ 
tives  are  rotating  into  security,  but  security 
executives  aren’t  rotating  out  of  it  yet? 

Charan:  I’m  talking  about  moving  peo¬ 
ple  early  in  their  careers,  not  at  a  higher 
level.  If  companies  are  bringing  people  from 
outside  the  security  function  at  higher  lev¬ 
els,  that  might  mean  the  internal  people  of 
security  were  not  considered  as  good.  But  I 
don’t  want  to  go  there,  because  I  don’t  know 
the  details.  There  are  so  many  factors. 

Mattice:  An  additional  piece  of  the 
council’s  research  involves  understanding 
business  intelligence  and  risk  and  develop¬ 
ing  a  network  of  information  flow  so  that 
you  can  analyze  the  risk  that  the  company 
is  facing.  We  see  this  area  as  one  of  the  key 
elements  that  the  security  organization  can 
bring  to  the  table  with  the  board  and  execu¬ 
tive  committee. 

Charan:  My  sense  is  that  some  boards 
have  a  risk  committee,  and  usually  a  gen¬ 
eral  counsel  of  the  company  pulls  all  the 
risks  together  in  collaboration  with  the 
CFO.  That  is  how  security  fits  in. 

Mattice:  That’s  where  you  think  we 
would  then  flow  the  information  to? 

Charan:  Exactly.  First  you’ve  got  to  see 
what  is  the  risk  committee,  if  there  is  any. 
If  there  is  none,  then  you  look  at  the  audit 
committee.  And  with  that  you  have  the 
CFO  for  sure,  and  maybe  general  counsel, 
and  then  link  to  that.  The  board  doesn’t 
want  to  see  all  kinds  of  risks.  The  board 
wants  to  see  a  unified  piece  of  information 
and  framework. 

Mattice:  How  do  you  see  boards  and 
executive  management  assessing  risk? 


28  www.csoonline.com  October  2007 


Photo  left  by  John  Abbott;  Right  by  Furnald/Gray 


“Reputational  risk  is  very  important  to  companies  today,  so 
the  security  people,  in  addition  to  compliance,  need  to  consider  the 
appropriate  focus  on  reputation.  That  should  be  a  part  of  the  annual 
report  to  the  board  on  risk.”  -Ram  Charan 


Charan:  I  think  the  boards  are  just  get¬ 
ting  going  on  it.  They  are  using  the  risk 
committee,  with  inside  and  outside  help, 
to  create  a  framework  for  evaluating  risk. 
In  one  case,  I  know  where  a  lead  director 
actually  has  gone  and  visited  the  site,  par¬ 
ticularly  in  the  environmental  safety  and 
health  arena.  But  other  than  brand  and 
reputational  risks,  and  the  financial  risk 
evaluation,  there’s  not  much  high  intensity 
to  the  overall  risk  yet. 

Mattice:  When  I  read  your  book  What 
the  CEO  Wants  You  to  Know,  it  was  very  clear 
that  there  are  a  broad  range  of  elements 
leaders  need  to  have.  From  your  view,  what 
are  the  most  critical  elements  that  need  to 
be  in  place  for  the  next  generation  of  secu¬ 
rity  leaders? 

Charan:  As  I  mentioned,  first  there’s  the 
business  side  of  it.  Second,  security  leaders 
have  to  be  very  externally  oriented,  because 
a  number  of  risks  come  on  a  surprise  basis. 
Some  are  anticipated,  but  a  good  deal  are 
not.  Third,  they  need  to  take  a  more  active 
role  in  working  with  line  people  to  get  them 
to  anticipate  risks  in  the  factoring  of  their 
strategy  and  their  execution. 

Mattice:  I’m  sure  you’re  familiar  with 
an  effort  that  the  Council  on  Competitive¬ 
ness  is  working  on  about  resiliency.  What 
role  would  you  see  a  security  executive 
play  in  dealing  with  the  issue  of  business 
resiliency? 

Charan:  I  do  not  know  that  particular 
effort.  What’s  the  effort? 

Mattice:  The  essence  of  it  is  ensuring 
that  companies  understand  their  environ¬ 
ments,  the  risks  to  their  environments  and 
the  issues  that  can  disrupt  their  business. 

Charan:  Yes.  They  have  to  understand 
the  business;  they  have  to  look  on  the  out¬ 
side  constantly;  they’re  going  to  work  with 
the  line  people  to  get  them  to  see  that  their 
business  actions,  both  strategically  and 
operationally,  take  into  account  the  pos¬ 
sible  risks. 

Mattice:  One  of  the  things  that  they’re 
saying  is  that  security  can  be  a  profit 
enhancer  for  corporations. 


Charan:  No  question  about  that.  For 
example,  if  you  have  a  construction  com¬ 
pany  that  is  building  some  important  item 
for  some  other  company,  and  the  security  is 
very  important  and  the  risk  is  reduced  and 
you  build  a  building  a  month  ahead  of  time, 
it’s  a  huge  profit  enhancer. 

Mattice:  There  are  a  number  of  pro¬ 
grams  that  security  organizations  partici¬ 
pate  heavily  in  that  can  have  a  very  positive 
impact,  like  the  Customs  Trade  Partner¬ 
ship  Against  Terrorism  (C-TPAT),  where  if 
you  have  the  right  programs  in  place,  your 
containers  and  shipments  bypass  all  the 
customs  controls.... 

Charan:  You  go  work  with  the  logistics 
people,  anticipate,  look  at  the  external  envi¬ 
ronment  and  say  what  has  to  be  done  strate¬ 
gically.  Plus  it  will  allow  you  to  decide  what 
kind  of  insurance  you’re  going  to  have. 

Mattice:  It  can  reduce  your  velocity 
in  the  business.  If  you  can  speed  up  your 
delivery  [of]  the  raw  goods  or  finished 
OEM  goods,  you  can  speed  things  to  market 
and  have  to  have  less  in  the  pipeline,  which 
frees  up  a  lot  of  capital. 

Charan:  Yes.  So  once  again  we  go  to  the 
same  principle.  Know  the  business. 

Mattice:  You  think  it’s  going  to  be  much 
more  complex  than  this. 

Charan:  It’s  not.  It’s  really  not. 

Mattice:  One  of  the  things  that  I’ve  seen 
over  the  years  is  that  as  new  approaches 
come  forward— whether  it’s  lean  manu¬ 
facturing  or  TQM  or  Six  Sigma— people 
throughout  companies  normally  tend  to 
throw  somewhat  of  a  jaundiced  eye  on 
these  things  because  they  look  like  the 
management’s  program  of  the  month.  What 
is  your  view  on  the  best  way  to  implement 
change  within  an  organization  and  put  new 
programs  in  place? 

Charan:  The  first  thing  you  ought  to  do 
is  recognize  that  these  are  tools.  If  they  are 
not  used  as  tools,  they  become  a  fad.  First 
you  need  to  define  what  need  or  problem 
you’re  solving  for  the  business,  and  for 
that  need  or  problem,  you  decide  what  tool 
you’re  going  to  use.  You  convince  the  people 


of  the  need  or  the  problem  or  the  opportu¬ 
nity,  and  then  have  them  engage  the  tools 
that  are  best  suited.  Train  the  people  on  the 
tools.  When  they’re  committed,  you  will 
see  the  change. 

Six  Sigma  is  a  fad,  if  you  don’t  answer 
the  previous  question.  So  you  have  a  [Jack] 
Welch  [former  CEO  of  GE]  coming  into 
Six  Sigma— and  Larry  Bossidy  [coauthor 
of  Charan’s  book  Execution  and  former 
CEO  of  Honeywell  International]  actually 
persuaded  him  to  do  that— but  he  saw  Six 
Sigma  as  a  huge  tool  to  streamline  pro¬ 
cesses,  particularly  with  customers.  That 
had  a  huge  impact  on  eliminating  waste, 
creating  common  systems  and  processes, 
thus  requiring  and  resulting  in  better  mar¬ 
gins,  better  profits,  and  more  importantly 
better  service.  He  defined  the  need  or  prob¬ 
lem  or  opportunity,  then  he  searched  for  a 
tool,  not  the  other  way  around. 

Mattice:  OK.  It’s  not  trying  to  pick  up 
the  tool  and  force  it  into  the  environment.... 

Charan:  You  will  fail  on  that. 

Mattice:  How  do  you  find  the  right 
tools? 

Charan:  You  search  today  on  the  Inter¬ 
net.  You  say,  this  is  my  problem;  what  are 
the  tools?  There’s  so  much  written  about 
these  things  coming  from  various  parts 
of  the  press.  Or  just  call  a  consulting  firm; 
they  will  tell  you  that.  Or  Harvard  Busi¬ 
ness  Review.  If  you  don’t  find  them  in  those 
places,  then  you  search.  For  example,  in 
1990,  the  CEO  of  American  Standard, 
Emmanuel  Kampouris,  toured  the  world  to 
find  the  tools  of  what  became  lean  [manu¬ 
facturing].  He  had  a  debt  problem,  and  he 
did  not  want  to  sell  the  pieces  of  the  busi¬ 
ness.  But  he  could  generate  cash  by  chang¬ 
ing  the  production  systems  and  creating 
high  inventory  turns.  He  went  all  over  the 
world,  and  he  found  a  guy  in  Colorado  who 
knew  what  was  “just  in  time”  [manufac¬ 
turing]  and  how  to  do  that.  It’s  no  different 
from  anything  else.  People  search  for  new 
ideas,  new  tools. 

If  a  human  being  can’t  find  those  in  the 
Internet  age,  we  have  a  different  problem.  ■ 


October  2007  www.csoonline.com  29 


COVER  STORY  |  GLOBAL  SECURITY  SURVEY 


THE  5TH  ANNUAL 
GLOBAL  STATE  OF 
INFORMATION  SECURITY 


Five  years  ago,  when  CIO,  CSO  and  PricewaterhouseCoopers 
collaborated  on  the  first  “Global  State  of  Information  Security” 
survey,  very  few  people  knew  how  bad  the  problem  was. 

Now  everyone  knows.  They  just  don’t  know  how  to  fix  it. 


By  Scott  Berinato 

AWARENESS  OF  THE  problematic  nature  of  informa¬ 
tion  security  is  approaching  an  all-time  high.  Out  of 
every  IT  dollar  spent,  15  cents  goes  to  security.  Secu¬ 
rity  staff  is  being  hired  at  an  increasing  rate.  Surpris¬ 
ingly,  however,  enterprise  security  isn’t  improving. 

For  the  fifth  straight  year,  CIO,  CSO  and  PricewaterhouseCoo¬ 
pers  (PWC)  present  select  results  and  analysis  from  the  “Global 
State  of  Information  Security”  survey,  the  world’s  largest,  most 
comprehensive  annual  information  security  survey. 

And  the  first  question  to  ask  is,  Are  you  feeling  anxious? 

Are  you  feeling  the  disquiet  that  comes  from  knowing  there’s 
no  reason  why  your  company  can’t  be  the  next  TJX?  The  angst  of 
knowing  that  these  modern  plagues— these  spam  e-mails,  these 
bots,  these  rootkits— will  keep  coming  at  you  no  matter  how  much 
time  and  money  you  spend  trying  to  stop  them?  The  chill  that 
comes  from  knowing  how  much  you  don’t  know? 

Yeah,  you’re  feeling  it. 

You’re  feeling  it  because  you’re  seeing  it.  According  to  the  2007 
survey,  a  comprehensive  canvassing  of  7,200  respondents  on  six 


continents,  you  see  the  information  security  problem  more  clearly 
than  ever  before.  You’re  seeing  it  because  you’ve  created  tools  and 
systems  in  order  to  see  it.  For  example: 

You’ve  added  processes.  Three  years  ago,  only  37  percent  of 
companies  reported  having  an  overall  security  strategy.  This  year, 
57  percent  did.  Also,  nearly  four  out  of  five  companies  conducted 
enterprise  risk  assessments,  at  least  periodically. 

You’ve  deployed  technology.  Nine  out  of  10  respondents  said 
they  use  firewalls,  monitor  users  and  rely  on  intrusion  detection 
infrastructure,  and  that  number  approached  98  percent  when 
responses  were  limited  to  larger  companies  (more  than  $1  billion 
in  revenue).  Encryption  is  at  an  all-time  high,  with  72  percent 
reporting  some  use  of  it  (compared  to  48  percent  last  year). 

You’ve  hired  people.  The  number  of  CISOs  and  CSOs  employed 
continues  to  rise.  And  the  mean  number  of  information  security 
workers  per  company  has  topped  100,  most  likely  due  to  more  out¬ 
sourcing  and  the  use  of  contract  employees. 

You’ve  crafted  an  infrastructure  for  understanding.  You’re  see¬ 
ing  it,  and  that’s  why  you’re  feeling  it.  You’re  undergoing  a  shift 


30  www.csoonline.com  October  2007 


Illustration  by  Guy  Billout 


in 

COVER  STORY  |  GLOBAL  SECURITY  SURVEY 


from  a  somewhat  blissful  ignorance  of  the  serious  flaws  in  com¬ 
puter  security  to  a  largely  depressing  knowledge  of  them. 

Awareness  may  be  at  an  all-time  high,  but  awareness  doesn’t 
equal  improvement,  and  awareness  doesn’t  bring  happiness. 
The  sad  fact  is  that  the  strides  made  to  date  have  not  crossed  the 
threshold  from  seeing  to  fixing. 

“That  next  level  of  maturity  has  not  been  reached,”  says  Mark 
Lobel,  a  principal  with  PWC’s  advisory  services.  “We  have  the 
technology  but  still  don’t  have  our  hands  around  what’s  impor¬ 
tant  and  what  we  should  be  monitoring  and  protecting.  Where’s 
that  console  that  says,  ‘Hey,  credit  card  numbers  are  crossing  the 
firewall  and  this  is  a  PCI  issue  that  has  a  real  business  impact?”’ 

Read  on  for  more  on  what  awareness  has  led  to  and  other  insights 
from  the  “Global  State  of  Information  Security  2007”  survey. 

“I  See,”  Said  the  Blind  Man 

FIVE  YEARS  AGO,  36  percent  of  respondents  to  the  “Global 
State  of  Information  Security”  survey  reported  that  they  had  suf¬ 
fered  zero  security  incidents.  This  year,  that  number  was  down  to 
22  percent. 

Does  this  mean  there  are  more  incidents?  We  don’t  think  so. 
We  believe  it  simply  means  that  more  companies  are  aware  of 
the  incidents  that  they’ve  always  suffered  but  into  which,  until 
recently,  they  had  no  visibility.  Those  once  inexplicable  network 
outages  are  now  known  to  be  security  incidents.  Perhaps  a  spam 
outbreak  wasn’t  considered  a  security  incident  before,  but  now 
that  it  can  deliver  malware,  it  is.  Awareness  is  higher,  and  that’s 
because  companies  have  spent  the  past  five  years  building  an 
infrastructure  that  creates  visibility  into  their  security  posture. 

The  infrastructure  Is  in  Place 

Baseline  deployment  of  people,  process  and  technology  continues  to  rise 
steadily,  sometimes  dramatically.  Among  those  companies  that  don’t  have 
these  techniques  in  place,  the  priority  for  adding  it  is  remarkably  low, 
indicating  that  most  people  who  think  they  need  these  things  now  have  them. 


2006 

2007 

PRIORITY 
FOR  2008 

People:  You  have  a... 

cso 

21% 

28% 

13% 

CISO 

22% 

32% 

17% 

CP0 

16% 

22% 

14% 

Process:  You  have... 

An  overall  security  strategy 

37% 

57% 

13% 

A  baseline  for 
customers/partners 

25% 

42% 

10% 

Centralized  SIM 

34% 

44% 

11% 

Technology:  You  deploy... 

Firewalls 

77% 

93% 

15% 

Encryption 

43% 

72% 

25% 

IDS/A-V/other  detection* 

57% 

90% 

28% 

Data  backup 

78% 

82% 

14% 

User  security/ID  management* 

73% 

89% 

33% 

IPS/filters* 

44% 

83% 

22% 

Internet  security* 

31% 

70% 

14% 

*  Before  2007,  these  categories  were  not  consolidated.  The 
percentage  listed  is  the  highest  percentage  given  for  one  of  the 
subcategories  now  consolidated  into  the  new  category. 


We’ve  Seen  the  Enemy;  It’s  You 

THIS  YEAR  MARKS  the  first  time  “employees”  beat  out  “hack¬ 
ers”  as  the  most  likely  source  of  a  security  incident.  Executives  in 
the  security  field,  with  the  most  visibility  into  incidents,  were  even 
more  likely  to  name  employees  as  the  source. 

Likely  Sources  of  Incidents 

Recognition  of  the  insider  threat  is  a  sign  that  awareness  is  increasing,  largely 
due  to  the  controls  that  have  been  put  in  place  over  the  past  five  years. 


WHO  ATTACKED  US? 

2006 

2007 

2007 

SECURITY 

EXECUTIVES 

ONLY 

Employee/former  employee 

51% 

69% 

84% 

Hacker 

54% 

41% 

40% 

Have  employees  suddenly  turned  more  malicious?  Are  inside 
jobs  suddenly  more  fashionable  and  productive  than  they  used 
to  be?  Probably  not.  Most  security  experts  will  tell  you  that  the 
insider  threat  is  relatively  constant  and  is  usually  bigger  than  its 
victims  suspect.  None  of  us  wants  to  think  we’ve  hired  an  untrust¬ 
worthy  person. 

This  spike  in  assigning  the  blame  for  breaches  and  attacks  to 
employees  is  probably  more  like  the  dip  in  companies  that  report 
zero  incidents— a  reflection  of  awareness,  of  managers’  ability  to 
recognize  what  was  always  there  but  what  they  couldn’t  previ¬ 
ously  determine. 

“What’s  happening  is  we’re  doing  a  better  job  with  logging  and 
understanding  situations,”  says  Ron  Woerner,  former  information 
security  manager  at  ConAgra  Foods,  now  security  engineering 
consultant  at  TD  Ameritrade.  “For  a  while,  I  think,  ignorance  was 
bliss.  Now,  with  all  the  technology  in  place,  we’re  learning  that  we 
all  have  the  same  problems.” 

Here’s  how  building  a  security  infrastructure  can  lead  to  more 
employees  named  as  culprits  in  security  incidents.  A  CISO  is  hired. 
He  has  the  tools  to  investigate  internal  network  anomalies  and  the 
authority  to  ask  business  unit  leaders  to  provide  him  with  infor¬ 
mation  for  an  investigation.  His  deployment  of  user-monitoring 
tools  helps  him  identify  insider  threats.  Then  he  centralizes  secu¬ 
rity  information  management  software  that  automatically  detects 
anomalous  network  behavior.  Then  maybe  he  adds  a  periodic  risk 
assessment  process  (another  trend  on  the  rise,  according  to  the 
survey)  and  suddenly  his  office  is  finding  previously  unknown 
vulnerabilities  being  exploited.  Perhaps  he  adds  an  anonymous 
e-mail/hotline  function  for  whistle-blowers.  With  all  of  this  and 
more  in  place,  a  company  has  increased  its  odds  of  detecting  secu¬ 
rity  incidents. 

But  here’s  an  odd  paradox:  Despite  the  massive  buildup  of  peo¬ 
ple,  process  and  technology  during  the  past  five  years,  and  fewer 
people  reporting  zero  incidents,  40  percent  of  respondents  didn’t 
know  how  many  incidents  they’ve  suffered,  up  from  29  percent 
last  year. 

The  rate  of  “Don’t  know”  for  the  type  of  incident  and  the  pri¬ 
mary  method  used  to  attack  also  spiked. 


32  www.csoonline.com  October  2007 


What  You  Don't  Know... 

Could  Fill  Volumes 

I Dunno 

Increasingly,  those  involved  in  information  security  reply  “Don’t  know” 
when  asked  about  the  number  and  nature  of  security  incidents. 


2006 

2007 

2007 

CSO/CISO 

Number  of  incidents 

29% 

40% 

29% 

Type  of  attack 

26% 

45% 

32% 

Primary  method  used 

26% 

33% 

20% 

It  doesn’t  bode  well  that  after  years  of  buying  and  installing 
systems  and  processes  to  improve  security,  close  to  half  of  the 
respondents  didn’t  have  a  clue  as  to  what  was  going  on  in  their 
own  enterprises.  But  when  close  to  a  third  of  CSOs  and  CISOs, 
who  presumably  should  have  the  most  insight  into  security  inci¬ 
dents,  said  they  don’t  know  how  many  incidents  they’ve  suffered 
or  how  these  incidents  occurred,  that’s  even  worse. 

The  truth  is,  systems,  processes,  tools,  hardware  and  soft¬ 
ware,  and  even  knowledge  and  understanding  only  get  you  so 
far.  As  Woerner  puts  it,  “When  you  gain  visibility,  you  see  that 


you  can’t  see  all  the  potential  problems.  You  see  that  maybe  you 
were  spending  money  securing  the  wrong  things.  You  see  that 
a  good  employee  with  good  intentions  who  wants  to  take  work 
home  can  become  a  security  incident  when  he  loses  his  laptop  or 
puts  data  on  his  home  computer.  There’s  so  much  out  there,  it’s 
overwhelming.” 

Woerner  and  others  believe  that  the  security  discipline  has  so 
far  been  skewed  toward  technology— firewalls,  ID  management, 
intrusion  detection— instead  of  risk  analysis  and  proactive  intel¬ 
ligence  gathering. 

If  most  of  the  investment  has  been  put  into  technology,  most 
of  the  return  will  come  from  there  too.  The  tools  will  do  their  job. 
They  will  tell  you  what’s  happening  and  block  the  most  ham-fisted 
attacks.  But  technology  is  largely  reactive.  It  provides  alarms  and 
ex  post  facto  reports  of  anomalies.  Intrusion  detection,  for  exam¬ 
ple,  is  not  terribly  effective  at  threat  intelligence— understanding 
the  nature  of  vulnerabilities  before  they  affect  you.  All  IDS  boxes 
know  is  that  some  preset  rule  has  been  broken.  Think  of  a  glass 
break  sensor  on  a  window  at  a  museum.  That  piece  of  technology 
is  extremely  effective  at  telling  you  that  someone  broke  the  win¬ 
dow;  it  does  nothing  to  explain  how  and  why  a  painting  was  stolen, 

nor  can  it  help  you  prevent  the 
next  window  from  being  bro¬ 
ken  and  the  next  painting  from 
being  snatched. 

Furthermore,  even  a  cursory 
look  at  security  trends  demon¬ 
strates  that  adversaries,  be 
they  disgruntled  employees  or 
hackers,  have  far  more  sophis¬ 
ticated  tools  than  the  ones  that 
have  been  put  in  place  to  stop 
them.  Antifo'rensics.  Mass  dis¬ 
tribution  of  malware  through 
compromised  websites.  Bot¬ 
nets.  Keyloggers.  Companies 
may  have  spent  the  past  five 
years  building  up  their  security 
infrastructure,  but  so  have  the 
bad  guys.  Awareness  includes 
a  new  level  of  understanding  of 
how  little  you  know  about  how 
the  bad  guys  operate.  As  arms 
races  go,  the  bad  guys  are  way 
ahead. 

Why  You  Have 
to  Change  Your 
Strategy 

WHAT  CAN  BE  done  about 
all  this?  Be  strategic.  Security 
investment  must  shift  from  the 
technology-heavy,  tactical  oper¬ 
ation  it  has  been  to  date  to  an 
intelligence-centric,  risk  analy¬ 
sis  and  mitigation  philosophy. 


CONVENTIONAL  WISDOM 


Five  truths  that  have  emerged  from 
five  years  of  the  “Global  State  of 
Information  Security”  survey 

After  five  years  of  conducting  the  “Global 
State  of  Information  Security”  survey, 
we  have  noted  some  critical  trends 
in  information  security.  We’ve  also 
uncovered  nontrends-numbers  that  remain 
so  constant  and  predictable  that  we  can  now 
call  them  conventional  wisdom.  Here,  then,  are 
five  pieces  of  wisdom  based  on  numbers  in  the 
survey  that  never  seem  to  change. 

Spending  lags.  You’re  always  about  10 
percent  happier  with  security  policy’s  align¬ 
ment  with  the  business  than  you  are  with 
security  spending’s  alignment.  Over  the  years, 
roughly  85  percent  of  you  have  said  that  your 
security  policies  are  completely  or  somewhat 
aligned  with  the  business,  while  just  75  percent 
said  that  about  spending.  After  all,  who  doesn’t 
want  more  money? 

Partners  too.  You’re  more  confident  in 
your  own  security  than  that  of  your  partners, 
suppliers  and  vendors.  Once  again,  around  80 
percent  to  85  percent  of  you  were  either  very  or 
somewhat  confident  in  your  security,  but  when 
you  were  asked  about  partners  and  vendors, 


the  number  dropped  to  between  70  percent 
and  75  percent.  Remember,  you’re  someone’s 
partner  and  he’s  not  too  thrilled  about 
you  either. 

Few  are  cocky.  About  one  in  12  of  you 
think  very  highly  of  yourselves.  Since  2003, 
the  number  of  respondents  who  claimed  100 
percent  of  their  users  were  in  compliance  with 
their  security  policies  hovers  around  8  percent. 

Size  doesn’t  matter.  Company  size  does 
not  affect  spending.  When  the  information 
security  budget  is  measured  as  a  percentage 
of  the  IT  budget,  it  remains  constant  no  matter 
how  many  employees  a  company  has  or  what 
its  revenue  is.  Size  of  company  matters  less  in 
security  spending  than  in  industry.  Technology 
companies  spend  the  most;  nonprofits  and 
educational  enterprises  spend  the  least. 

Banks  lead.  Financial  services  companies 
are  attacked  more  but  suffer  less.  Over  the 
years,  respondents  in  the  money  business  have 
reported  more  security  incidents  without  an 
appreciable  increase  in  losses  or  downtime  as 
a  result.  They  do  this  despite  not  having  sig¬ 
nificantly  larger  security  budgets  than  others. 
The  financial  sector  models  best  practices.  See 
www.cio.com/article/H691/The_Global_State_ 
of_lnformation_Security/5.  -S.fi. 


October  2007  www.csoonline.com  33 


COVER  STORY  |  GLOBAL  SECURITY  SURVEY 


“IT  is  dominating  reporting 
structures  and  the  budgets.” 

-M.  ERIC  JOHNSON,  DARTMOUTH  COLLEGE 


Information  and  security  executives  should,  for  example,  be 
putting  their  dollars  into  industry  information  sharing.  “Col¬ 
laboration  is  key,”  says  Woerner.  They  should  invest  in  security 
research  and  technical  staff  that  can  capture  and  dissect  malware, 
and  they  should  troll  the  Internet  underground  for  the  latest 
trends  and  leads.  Dozens  of  security  companies  do  just  this  and 
provide  subscriptions  to  research  services. 

“We  have  to  start  addressing  the  human  element  of  information 
security,  not  just  the  technological  one,”  says  Woerner.  It’s  only 
then  that  companies  will  stop  being  punching  bags.  Only  then  will 
they  be  able  to  hit  back. 

IT  Strikes  Back 

SPEAKING  OF  STRIKING  back,  the  2007  security  survey  shows 
a  remarkable  (some  might  say  troubling)  trend. 

The  IT  department  wants  to  control  security  again. 

In  the  first  year  of  collaboration  on  this  survey  (see  www.cio. 
com/article/29841),  CIO,  CSO  and  PWC  noted  that  the  more  confi¬ 
dent  a  company  was  in  its  security,  the  less  likely  that  company’s 
security  group  reported  to  IT.  Those  companies  also  spent  more 
on  security. 

The  reason  CIO  and  CSO  have  always  advocated  for  the  sepa¬ 
ration  of  IT  and  security  is  the  classic  fox-in-the-henhouse  prob¬ 
lem.  To  wit,  if  the  CIO  controls  both  a  major  project  dedicated  to 
the  innovative  use  of  IT  and  the  security  of  that  project— which 
might  slow  down  the  project  and  add  to  its  cost— he’s  got  a  serious 
conflict  of  interest.  In  the  2003  survey,  one  CISO  said  that  conflict 
“is  just  too  much  to  overcome.  Having  the  CISO  report  to  IT,  it’s  a 
death  blow.” 

And  every  year  after  that,  the  trend  was  for  the  security  func¬ 
tion  to  gain  increasing  autonomy.  More  security  executive  posi¬ 
tions  were  created.  More  decision-making  power  was  shifted  to 
security  and  away  from  IT.  And  more  security  groups  reported 
to  functions  outside  of  IT,  including  the  legal  department,  the  risk 
department  and,  most  significantly,  the  CEO.  The  trend  was  even 
more  pronounced  at  large  companies. 

In  2007,  this  trend  didn’t  slow  down;  it  flipped.  What’s  more, 
the  reversal  was  most  pronounced  in  the  largest  companies.  For 
example,  respondents  chose  from  12  possible  functions  to  which 
their  CISO  could  report.  Those  12  functions  were  divided  into 
three  categories: 

1.  IT  (CIO,  CTO) 

2.  Neutral  (board,  CEO,  CFO,  COO,  legal) 

3.  Security  (audit,  CPO,  CSO,  risk,  security  committee) 

To  allow  respondents  to  select  more  than  one  of  these  answers, 


we  created  “shares”— the  percentage  of  respondents  with  some 
reporting  relationship  to  one  of  these  three  categories.  Here  are 
the  results. 

Reporting  to  IT 

Respondents  have  some  reporting  relationship  to  the  following  groups 


2006 

2007 

2007  (>$1B 
REVENUE) 

IT 

41% 

53% 

60% 

Neutral 

76% 

79% 

68% 

Security 

44% 

46% 

48% 

A  12  percent  rise  in  the  number  of  security  executives  report¬ 
ing  to  IT  is  hugely  significant.  And  when  you  slice  that  by  large 
companies,  it’s  a  19  percent  rise.  Notice,  too,  that  bigger  compa¬ 
nies  show  fewer  information  security  executives  reporting  to 
neutral  functions. 

M.  Eric  Johnson,  an  economist  who  specializes  in  information 
security  issues  at  Dartmouth  College,  says,  “We  actually  analyzed 
the  org  charts,  and  the  solid-line  relationships  are  going  back  to  IT 
and  the  CIO.  CISOs  have  gobs  of  dotted  line  relationships,  but  IT 
is  dominating  reporting  structures  and  the  budgets.” 

Indeed,  the  trend  is  even  more  pronounced  when  you  follow 
the  money  trail. 


Security  Dollars  Come  from  IT 

Funding  for  information  security  comes  from  (could  check  more  than  one) 


Another  hallmark  of  an  evolved  security  function  is  its  con¬ 
vergence  with  physical  security,  usually  under  a  CSO.  This  makes 
sense  both  for  operational  efficiency  and  because  threats  are 
becoming  more  converged.  Access  control  is  a  classic  example  of 


34  www.csoonline.com  October  2007 


AND 

FURTHERMORE... 


More  data  points  to  ponder  from  the  “Global 
State  of  Information  Security”  survey 


“Uh,  Boss?  Can  We  Talk?” 

ARE  SECURITY  AND  IT  communicating  enough  with  the  CEO? 
Comparing  their  answers,  we  find  some  startling  disconnects. 

What  the  Boss  Thinks;  What  You  Know 

CEOs  seem  to  think  their  enterprises  are  a  lot  more  secure 
(and  their  employees  more  reliable)  than  CIOs  and  security 
leaders  do.  Conversely,  CIOs  and  security  leaders  are  a  lot 
more  optimistic  about  their  budgets  than  are  their  CEOs. 


CEO 

CIO 

CISO/CSO/ 
INFOSEC  DIR. 

We’ve  had  fewer  than  10 
security  incidents 

74% 

65% 

53% 

We’ve  had  an  unknown 
number  of  incidents 

18% 

25% 

28% 

An  employee  or  former 
employee  was  the  source 
of  the  incident 

44% 

71% 

83% 

We  do  not  conduct  enterprise 
risk  assessments 

31% 

21% 

13% 

Security  spending  will 
increase  in  ’07 

41% 

53% 

57% 

Spending  will  stay  the  same 

41% 

32% 

28% 

We  Need  to  Be  But  Are  Not  in  Compliance  With 

Again,  CEOs  are  far  more  confident  than  their  CIOs  and  security 
execs  that  their  enterprises  are  compliant.  Either  the  CEOs  are 
clueless,  or  the  people  who  should  know  aren’t  telling. 


CEO 

CIO 

CISO/CSO/ 
INFOSEC  DIR. 

HI  PA  A 

9% 

14% 

27% 

Sarbanes-Oxley 

9% 

20% 

32% 

State  privacy  breach  laws 

10% 

12% 

21% 

Privacy— Better,  But  ••• 

PERHAPS  BECAUSE  OF  the  sheer  number  of  incidents 
involving  privacy  breaches,  companies  have  improved  their 
privacy  practices.  They  are  increasingly  separating  privacy 
from  security  and  also  separating  security  governance  (which 
would  take  part  in  setting  privacy  policy)  from  tactical  secu¬ 
rity.  That  means,  for  example,  the  people  deploying  monitoring 
tools  aren’t  the  ones  setting  the  usage  policy  for  those  tools. 

But  more  work  needs  to  be  done.  Some  of  the  key  steps  to 
ensuring  data  privacy— encrypting  databases,  classifying  data 
by  risk  level— haven’t  become  standard  practice.  The  industry 
least  likely  to  have  adopted  privacy  practices  is  technology.  A 
privacy  leader?  Consumer  banking. 


Who  Wants  to  Know? 


Privacy  Best  Practices 


EMPLOY  CPO 

SEPARATE 
PRIVACY  & 
SECURITY 

SEPARATE 
SECURITY 
GOV.  &  OPS. 

CLASSIFY 
DATA  BY 
RISK 

Overall 

22% 

54% 

66% 

70% 

>$1B  revenue 

30% 

66% 

58% 

79% 

Financial  services 

33% 

64% 

60% 

80% 

Consumer 

financial 

41% 

69% 

55% 

90% 

Retail 

14% 

51% 

66% 

58% 

Health  insurance 

53% 

73% 

49% 

81% 

Healthcare 

provider 

49% 

72% 

65% 

64% 

Technology 

22% 

49% 

72% 

77% 

More  on  Privacy 

WHILE  60  PERCENT  of  survey  respondents  posted  privacy 
policies  internally,  only  24  percent  posted  policies  on  their 
external  websites.  Only  28  percent  audited  their  privacy  stan¬ 
dards  through  a  third  party.  Sounds  like  a  cover-your-butt 
ploy;  after  all,  if  you  don’t  have  a  policy  posted,  you  can’t  be 
sued  for  violating  or  not  living  up  to  it.  And  if  you  haven’t  had 
your  privacy  audited,  you  don’t  have  to  fix  all  the  problems  an 
audit  would  find. 

Respondents  who  do  not  keep  an  accurate 
inventory  of  user  data:  69% 

Respondents  who  do  not  keep  an  accurate 
inventory  of  where  data  is  stored:  67% 

Region  of  Risk 

ONE  OF  THE  areas  of  the  world  where  the  focus  on  informa¬ 
tion  security  has  intensified  is  Latin  America,  specifically  Brazil 
and  Mexico.  Researchers  and  law  enforcement  believe  that  cul¬ 
tural  differences  in  acceptance  of  less-secure  online  transaction 
methods  and  fewer  controls  and  regulations  on  banking  activity 
have  made  the  region  the  banking  center  of  choice  for  the  Inter¬ 
net  criminal  underground.  Here  are  some  select  findings. 


INFOSEC 
BUDGET 
AS  %  OF  I.T. 
BUDGET 

DO  NOT 
CONDUCT 
RISK 

ASSESSMENT 

BUDGET 
WILL  RISE 
MORE THAN 
10%  IN  ’07 

>1  DAY 
DOWNTIME 

Overall 

15% 

23% 

20% 

8% 

U.S.  and  Canada 

12% 

19% 

16% 

7% 

South  America 

19% 

36% 

30% 

15% 

Brazil 

16% 

43% 

29% 

21% 

Mexico 

21% 

33% 

28% 

13% 

China 

19% 

32% 

26% 

13% 

India 

21% 

17% 

33% 

9% 

October  2007  www.csoonline.com 


COVER  STORY  |  GLOBAL  SECURITY  SURVEY 


convergence  paying  dividends.  By  combining  building  access  and 
network  access  in  one  system,  you  save  money,  improve  efficiency 
and  create  a  single  view  into  both  physical  threats  (illegal  entry) 
and  digital  ones  (illegal  network  access). 

And  for  four  years,  convergence  of  physical  and  IT  security 
steadily  increased.  Until  this  year. 

Physical  and  Information  Security 
Converge,  Then  Diverge 

Information  and  physical  security  are  separate 


OVERALL 

REVENUE  $1B  OR 
MORE 

2003 

71% 

NA 

2004 

50% 

NA 

2005 

47% 

NA 

2006 

25% 

36% 

2007 

46% 

55% 

Information  and  physical  security  report  to  the  same  executive  leader 


OVERALL 

REVENUE  $1B  OR 
MORE 

2003 

11% 

NA 

2004 

26% 

22% 

2005 

31% 

24% 

2006 

40% 

33% 

2007 

34% 

27% 

Respondents  who  do  not  integrate  physical 
and  information  security  personnel:  69% 

Of  those,  percent  with  no  plans  to 
integrate  personnel:  80% 

Who’s  in  Charge? 

SIGNS  OF  I.T.’s  control  and  influence  are  peppered  throughout 
the  survey  results.  For  example,  when  asked  what  security  guide¬ 
lines  their  companies  followed,  respondents  were  far  more  likely— 
sometimes  two  or  three  times  more  likely— to  cite  more  general  IT 
guidelines  like  ITIL  than  security- specific  ones  like  SAS  70  and 
various  ISO  security  standards. 

What’s  going  on  here?  Johnson  has  one  theory:  “Security  seems 
to  be  following  a  trajectory  similar  to  the  quality  movement  20  or 
30  years  ago,  only  with  security  it’s  happening  much  faster.  During 
the  quality  movement,  everyone  created  VPs  of  quality.  They  got 
CEO  reporting  status.  But  then  in  10  years  the  position  was  gone 
or  it  was  buried.” 

In  the  case  of  the  quality  movement,  Johnson  says,  that  may 
have  been  partly  because  quality  became  ingrained,  a  corporate 
value,  and  it  didn’t  need  a  separate  executive.  But  the  evidence  in 
the  survey  suggests  that  security  is  neither  ingrained  nor  valued. 
It’s  not  even  clear  companies  know  where  to  put  security,  which 
would  explain  the  “gobs  of  dotted  line”  reporting  structures. 

That  brings  us  to  another  theory:  organizational  politics.  What 
if  separating  security  from  IT  were  creating  checks  on  software 
development  (not  a  bad  thing,  from  a  security  standpoint)?  What 
if  all  this  security  awareness  the  survey  has  indicated  actually 
exposed  the  typical  IT  department’s  insecure  practices? 


METHODOLOGY  The  “Global  State  of  Information 
Security  2007”  survey,  a  worldwide  study  by  CIO,  CSO  and 
PricewaterhouseCoopers,  was  conducted  online  from  March 
6, 2007,  through  May  4, 2007.  Readers  of  CIO  and  CSO  and 
clients  of  PricewaterhouseCoopers  from  around  the  globe 
were  invited  via  e-mail  to  take  the  survey.  The  results  shown 
in  this  report  are  based  on  the  responses  of  7,200  CEOs,  CFOs, 
CIOs,  CSOs,  VPs  and  directors  of  IT  and  IS,  and  security  and  IT 
professionals  from  more  than  100  countries.  Thirty-six  per¬ 
cent  of  the  respondents  were  from  North  America,  followed 
by  Europe  (28%),  Asia  (23%),  South  America  (12%)  and  the 
Middle  East  and  South  Africa  (2%).  The  margin  of  error  for 
this  study  is  +/- 1%. 


One  way  for  IT  to  respond  would  be  to  attempt  to  defang  secu¬ 
rity.  Keep  its  enemy  close.  Pull  the  function  back  to  where  it  can  be 
better  controlled. 

“What  I  hear  from  CIOs,”  says  Johnson,  “is  at  the  end  of  the 
day  they’re  responsible  for  failures  anyway.  They’re  on  the  line 
whether  security  is  separate  or  not.”  Why  wouldn’t  the  CIO  want 
to  control  something  he’s  ultimately  responsible  for? 

On  the  other  hand,  maybe  security  was  never  as  separate  as 
it  seemed.  Companies  created  CISO-type  positions  but  never 
gave  them  authority.  “I  continually  see  security  people  put  in  the 
position  of  fall  guy,”  says  Woerner  of  TD  Ameritrade.  “Maybe 
some  of  that  separation  was,  subconsciously,  creating  a  group 
to  take  the  hit.”  Woerner  also  believes  that  the  trend  of  the  secu¬ 
rity  budget  folding  into  the  IT  department  could  be  a  direct  result 
of  security  auditing  that  focuses  primarily  on  infrastructure. 
That  is,  when  auditors  look  at  information  security  weak¬ 
nesses,  they  recommend  technological  fixes.  And  IT  buys  the 
technology.  Why  should  IT  be  charged  for  another  depart¬ 
ment’s  expenses? 

Whatever  the  reason,  the  trend  is  disturbing  to  some  security 
professionals,  especially  at  a  time  when  they  play  an  ever  more 
central  role  in  corporate  crises,  and  in  society  in  general. 

The  state  of  Internet  security  is  eroding  quickly.  Trust  in  online 
transactions  is  evaporating  and  it  will  require  strong  security 
leadership  for  that  trust  to  be  restored.  For  the  Internet  to  remain 
the  juggernaut  of  commerce  and  productivity  it  has  become  will 
require  more,  not  less,  input  from  security. 

But  right  when  the  best  and  brightest  security  minds  are 
needed  most,  they’re  being  valued  less.  ■ 


Reach  Executive  Editor  Scott  Berinato  at  sberinato@cxo.com. 


36  www.csoonline.com  October  2007 


Smart  enough  to 


it  coming 


ProCurve  ProActive  Defense  allows  you  to  detect,  identify 
and  minimize  threats  before  they  compromise  your  network 


View  our  free  video  at  www.procurve.com/defense 

Discover  how  ProCurve  Networking  by  HP  can  help  you  handle  today’s 
network  security  needs  and  adapt  to  tomorrow’s  security  challenges. 
For  more  information,  call  (800)  975-7684,  ref.  code  defense 


ProCurve 

*  Networking  by  HP 


The  leading  lifetime  warranty  in  the  industry 


•For  as  long  as  you  own  the  product,  wit  1 1  next  business  day  advance  replacement  (available  in  most  countries).  The  following  products  and  their  relatectfapiiiy  rtfwii-’Vj 
a  oneyear  warranty  with  extensions  available:  ProCurve  Routing  Switch  9300m  Series.  ProCurve  Switch  KlOOfl  Series.  ProCurve  Access  Control  Server  745w  arji JHM 
Network  Access  Controller  HOO.  For  details,  refer  to  the  ProCurve  Sottwaie  License.  Warranty  and  Support  booklet  at  litto:// www.lm.coni/rnd/suooort/Wananfi-  tajS 
€>  2007  Hewlett  Packard  Development  Company,  L.P  • 


.Tteszi 


CISO  JOHN  PETRIE:  Harland  Clarke  needed 
to  establish  repeatable  processes  for  identifying 
threats  and  weighing  risks. 


CASE  STUDY:  RISK  MANAGEMENT 


Checks 

BALANCES 


Harland  Clarke  Holdings  wanted  to 
remake  its  business— and  its  approach 
to  security  had  to  keep  up 

BY  MARY  BRANDEL 

^  • - *  ♦  * - 

Three  and  a  half  years  ago,  Harland  Clarke  Holdings’ 
approach  to  security  was  very  much  in  tune  with  its  iden¬ 
tity  as  a  market-leading  manufacturer  of  checks  and  check- 
related  products  for  businesses  and  consumers.  Security, 
according  to  John  Petrie,  chief  information  security  officer 
at  the  San  Antonio,  Texas-based  company,  was  a  tactical 
concern  that  focused  on  the  production  processes  in  its  nine 
plants  throughout  the  U.S. 

But  that  approach  was  becoming  a  bit  old-fashioned  as 
Harland  Clarke  expanded  beyond  its  manufacturing  roots, 
adding  customer  contact  centers,  direct  response  market¬ 
ing  services  and  electronic  commerce  capabilities  to  its 
offerings. 

“There  were  issues  around  protecting  electronic  data,  and 
our  printing  processes  had  changed  over  to  the  digital  age, 


Photo  by  Wyatt  McSpadden 


October  2007  www.csoonline.con-  > 


CASE  STUDY:  RISK  MANAGEMENT 


so  there  was  a  transformation  that  had 
occurred,”  Petrie  says.  “We  knew  we  had 
to  change  our  risk  management  structure.” 

That’s  why,  when  Petrie  was  asked  to 
join  the  company  in  2004,  Harland  Clarke 
(named  Clarke  American  at  the  time)  was 
on  the  brink  of  a  CEO -driven  reinvention, 
not  just  of  the  processes  it  used  to  make 
security  and  risk  management  decisions 
but  also  the  way  its  entire  culture  viewed 
security.  In  order  to  retain  its  competi¬ 
tive  position  in  the  market,  “we  wanted  to 
become  a  secure  provider  of  checks  and 
check- related  services,  versus  just  a  manu¬ 
facturer,”  Petrie  says. 

Meanwhile,  by  2005,  Harland  Clarke’s 
own  customers— financial  institutions— 
were  demanding  more  security  controls 
and  risk  programs  from  their  suppliers, 
thanks  to  regulatory  changes  that  required 
them  to  prove  end-to-end  security  in  their 
supply  chains. 

Three  Priorities 

THE  TOP  THREE  priorities  of  the  new 
security  program,  Petrie  says,  included 
taking  advantage  of  enterprisewide  quality 
processes  (the  company  won  a  Malcolm  Bal- 
drige  National  Quality  Award  in  2001);  link¬ 
ing  security  and  risk  mitigation  decision 
processes  to  the  business’s  operating  plan 
and  strategic  growth  goals;  and  ingraining 
security  into  the  mind-set  and  daily  activi¬ 
ties  of  Harland  Clarke’s  employees.  “We 
wanted  to  make  sure  security  wasn’t  a  thing 
that  sits  out  there  and  functions  on  its  own,” 
Petrie  says. 

It  was  essential,  Petrie  says,  to  leverage 
Harland  Clarke’s  quality  program  in  the 
design  of  the  security  program,  especially 
to  enjoy  the  cost  savings.  “We  were  able  to 
take  advantage  of  the  solutions  we  imple¬ 
mented  for  quality  in  the  areas  of  identifica¬ 
tion,  notification  and  prevention,”  he  says. 
For  example,  in  each  plant  there  are  per¬ 
sonnel  in  charge  of  monitoring  and  main¬ 
taining  quality  processes.  Now  those  same 
people  are  also  responsible  for  determining 
whether  events  that  could  potentially  affect 
quality  might  also  impact  security,  such 
as  changes  to  plant  schedules  or  machine 
malfunctions. 

To  reflect  security’s  new  central  role  in 
the  business,  the  company  also  changed  its 
organizational  chart.  Previously,  security 
was  a  decentralized  function  that  was  gov- 


Harland 

Clarke  (known  as 

Clarke  American  until  this 
year)  is  a  leading  provider 
of  checks  and  related  prod¬ 
ucts,  contact  center  services, 
e-commerce  and  direct 
response  marketing  solu¬ 
tions  to  financial  services 
companies  throughout  the 
U.S.  Annually,  it  produces 
more  than  10  billion  checks 
and  deposit  tickets  in  a  variety 
of  formats  through  a  network 
of  16  electronically  linked 
manufacturing  facilities  and 
customer  service  centers. 


emed  by  the  CIO  and  the  plant  managers. 
Now,  as  CISO,  Petrie  reports  not  to  the  CIO 
but  to  the  company’s  chief  security  officer, 
who  also  owns  physical  security  and  inci¬ 
dent  management.  The  CSO,  Pat  Patter¬ 
son,  who  was  a  former  FBI  special  agent  in 
charge,  reports  to  the  senior  vice  president 
of  administrative  services  (as  do  human 
resources,  general  counsel,  the  compliance 
officer,  the  privacy  officer,  partner  support 
and  partner  reporting),  who  reports  to  the 
executive  management  team. 

And  to  make  security  more  of  a  busi¬ 
ness  function,  it  was  also  important,  Petrie 
says,  to  develop  a  program  that  was  made 
up  of  repeatable,  auditable  and  measurable 
processes.  To  that  end,  Harland  Clarke 
chose  a  standard— ISO  17799/27001— that 
would  serve  as  a  baseline  for  develop¬ 
ing  its  security  controls  and  budgets.  The 
standard  stipulates  10  domains  that  define 
best  practices  for  several  areas,  includ¬ 
ing  business  continuity  planning;  system 
access  control;  system  development  and 
maintenance;  physical  and  environmental 
security;  compliance;  personnel  security; 


security  organization;  computer  and  oper¬ 
ations  management;  asset  classification 
and  control;  and  security  policies.  Each  of 
these  domains  is  also  connected  by  gover¬ 
nance  guidelines  such  as  Cobit,  as  well  as 
financial  industry  guidelines  proposed  by 
the  Federal  Financial  Institutions  Exami¬ 
nation  Council. 

Business  Focus 

NEXT  UP  WAS  linking  security  spending 
and  risk  management  decisions  with  busi¬ 
ness  goals.  To  do  this,  Harland  Clarke  had 
to  establish  some  new  processes  for  identi¬ 
fying  threats,  understanding  vulnerabilities 
and  determining  which  risks  it  was  willing 
to  accept  and  which  it  needed  to  mitigate. 

One  of  these  processes  is  its  annual 
business  impact  analysis,  a  three-month¬ 
long  endeavor  conducted  by  a  third-party 
provider  (which  Petrie  declines  to  identify) 
that  reviews  the  company’s  risk  manage¬ 
ment  processes  and  identifies  vulnerabili¬ 
ties  or  threats  to  the  company’s  existing 
controls  as  they  pertain  to  the  goals  of  the 
company’s  five-year  operating  plan. 

For  instance,  in  its  contact  center,  the 
analysis  might  look  at  the  controls  that 
ensure  call  center  employees  know  when 
calls  are  being  recorded  and  the  controls 
that  protect  those  recordings  from  a  regu¬ 
latory  perspective  and  ensure  those  con¬ 
trols  don’t  negatively  impact  call  answer 
and  handling  time.  Or  it  might  review  the 
controls  surrounding  the  development  of 
new  marketing  campaigns.  “Because  we’re 
getting  consumer  information,  we  need  to 
look  at  how  to  protect  that,  and  once  con¬ 
trols  are  in  place,  how  that  would  affect  the 
flow  of  the  marketing  campaign,  which  in 
turn  will  determine  acceptable  risk  levels,” 
Petrie  says. 

Second,  Harland  Clarke  works  with 
Verizon  Business  (which  acquired  the  com¬ 
pany’s  managed  security  service  provider, 
Cybertrust,  in  July  2007)  to  conduct  annual 
and  monthly  vulnerability  reviews  of  the 
entire  enterprise,  as  well  as  its  perimeter. 
Verizon  reviews  the  controls  that  Harland 
Clarke  has  in  place,  identifies  vulnerabili¬ 
ties,  makes  recommendations  and  audits 
the  company’s  response  to  those  recom¬ 
mendations.  For  instance,  if  the  security 
office  or  executive  management  team 
determines  that  a  vulnerability  falls  within 
the  realm  of  acceptable  risk,  Verizon  will 


40  www.csoonline.com  October  2007 


Photo  by  iStockphoto 


review  that  decision  and,  if  it  disagrees, 
will  recommend  that  Harland  Clarke  revisit 
the  decision.  “Risk  isn’t  finite;  it  isn’t  a  ‘yes’ 
or  ‘no,’”  Petrie  says.  “It  depends  on  what’s 
acceptable  to  the  business  to  operate.” 

Risk  Matrix 

THE  RESULTS  OF  both  the  business 
impact  analysis  and  the  vulnerability 
review  are  then  funneled  into  the  develop¬ 
ment  of  an  annual  risk  matrix,  which  com¬ 
bines  20  risk  areas,  such  as  malicious  code, 
asset  loss  and  fraud,  that  are  presented  to 
the  executive  management  team.  An  overall 
risk  score  is  assigned  to  each  threat,  based 
on  whether  it’s  an  internal  or  external 
threat;  its  level  of  potential  damage  based 
on  a  scale  of  one  to  lO;  and  its  probability  of 
materializing.  From  this  matrix,  the  secu¬ 
rity  office  determines  what  actions  to  take 
to  mitigate  risk,  which  are  then  approved 
by  the  executive  management  team. 

For  example,  a  zero-day  worm  might  be 
issued  a  damage  score  of  7  or  8,  Petrie  says, 
and  a  probability  score  (assuming  controls 
are  in  place)  of  2  or  3.  The  risk  factor  would 
be  determined  by  multiplying  those  two 
numbers  and  assigning  other  values,  such 
as  what  it  would  cost  to  shut  down  the  net¬ 
work,  and  segregate  and  apply  a  fix  if  the 
worm  did  penetrate. 

“The  risk  matrix  is  a  tool  to  help  you 
assign  a  quantitative  number  to  which 
you  can  then  decide  whether  to  assign 
resources  and  assets  to  mitigate  risk,”  Pet¬ 
rie  says.  But  because  there’s  only  so  much 
capital  you  can  spend,  it’s  up  to  the  execu¬ 
tive  management  team  to  make  the  final 
decision  on  acceptable  risk. 

In  the  end,  Petrie  says,  the  company  has 
been  able  to  create  an  information  security 
program  that  incorporates  repeatable,  mea¬ 
surable  processes  that  can  be  audited  and 
are  linked  into  risk  management  and  the 
business  decision-making  process.  “Now, 
security  is  similar  to  any  other  line  of  busi¬ 
ness,”  Petrie  says. 

In  fact,  when  the  different  areas  of  the 
business  develop  their  annual  key  perfor¬ 
mance  indicators,  security  is  no  different. 
“We’re  required  to  create  KPIs  and  metrics 
that  support  those  KPIs,”  Petrie  says.  Right 
now,  there  are  eight  KPIs  associated  with 
security,  supported  by  30  metrics  that  are 
regularly  monitored  to  ensure  the  goals  are 
being  met.  “If  we  don’t  meet  the  metrics 


within  information  security,  that  has  an 
impact  on  our  business  goals,”  Petrie  says. 

Risk  Management  in  Action 

WITH  THE  SECURITY  processes  and  risk 
matrix  in  place,  Petrie’s  group  has  all  the 
tools  it  needs  to  make  security  investment 
decisions  as  they  arise  throughout  the  year. 
For  instance,  it  recently  discovered  through 
its  monthly  vulnerability  scans  and  spot 
checks  of  its  image  recordings  that  one  of  its 
VHS-based  security  recording  systems  was 
malfunctioning,  affecting  20  to  30  cameras 
that  were  attached  to  it. 

One  option  was  to  upgrade  the  entire 
system  to  digital;  another  was  to  switch  out 
some  systems  from  other  locations,  as  the 
age  of  the  system  made  it  impossible  to  find 


an  exact  replacement.  A  controls  review 
indicated  that  from  a  cost/benefit  standpoint, 
it  made  better  sense  to  spend  the  capital  on 
a  replacement  digital  system,  especially 
because  this  would  enable  several  locations 
in  the  future  to  be  connected  over  the  Inter¬ 
net  to  a  single  operations  center.  Costs  were 
estimated  in  the  millions  of  dollars. 

The  group  submitted  its  results  to  the 
executive  management  team,  which  agreed 
that  the  VHS  system  posed  an  unaccept¬ 
able  risk  based  on  the  current  business 
model  and  that  replacing  it  with  a  digital 
system  would  mitigate  that  risk,  both  from 
a  quality  and  a  security  perspective. 

The  entire  process  took  about  four 
months,  from  approaching  the  executive 
management  team  to  implementing  the 
first  camera  replacements.  Although  going 
digital  represented  a  20  percent  to  30  per¬ 
cent  increase  in  initial  one-time  costs  over 
analog  VHS,  cost  savings  included  physi¬ 
cal  storage  cost  reductions  and  a  20  percent 
reduction  in  maintenance  costs  year  over 
year.  It  also  helped  that  the  camera  system 
was  used  to  monitor  the  company’s  quality 
processes  as  part  of  the  technical  controls 


portion  of  the  production  process,  which 
do  have  an  ROI  and  an  impact  on  the  bot¬ 
tom  line. 

In  a  second  instance,  a  Verizon  scan 
revealed  vulnerabilities  in  a  production 
facility:  operating  systems  on  its  manu¬ 
facturing  line  equipment  that  were  not 
patched  adequately.  Several  months  ear¬ 
lier,  Harland  Clarke  had  been  aware  that 
patches  were  being  offered  by  the  software 
manufacturer  but  had  made  the  decision 
not  to  implement  them  because  of  the  pos¬ 
sibility  of  causing  a  system  outage  or  other 
negative  impact  on  performance. 

Now,  however,  the  scan  was  reporting 
that  an  existing  worm  had  been  modified 
that  heightened  the  risk.  This  caused  the 
group  to  revisit  its  previous  decision  by 


running  some  penetration  tests  over  a  30- 
day  period  to  determine  residual  risk  and 
calculate  the  cost  of  mitigating  the  problem. 
In  parallel,  it  presented  the  new  finding  to 
the  executive  management  team. 

“The  chances  were  fairly  high  that  even 
a  low-level  worm  or  virus  would  shut  those 
systems  down,”  Petrie  says.  “We  deter¬ 
mined  that  it  was  not  an  acceptable  risk  to 
not  apply  this  patch,”  especially  because  it 
could  be  applied  during  maintenance  win¬ 
dows  rather  than  bringing  systems  down. 

“The  whole  process  was  a  complete 
review  of  the  decision  we’d  already  made 
several  months  earlier,”  Petrie  says.  “That’s 
why  a  risk  management  program  is  so  criti¬ 
cal— the  threat  had  changed,  so  we  had  to 
reassess  our  decision  and  make  a  new  one 
based  on  that.” 

And  that,  he  says,  is  indicative  of  what 
the  security  manager’s  job  is  all  about.  “The 
passage  of  time  is  critical,”  he  says.  “Risk 
management  is  not  a  stagnant  process  but 
a  continuous  one.”  ■ 


Mary  Brartdel  is  a  freelance  writer.  Send  jet  d 
back  to  csoletters@cxo.com. 


With  the  security  processes  and  risk 
evaluation  matrix  in  place,  Petrie’s 
group  has  all  the  tools  it  needs  to  make 
security  investment  decisions  as  they 
arise  throughout  the  year. 


October  2007  www.csoonline.cor1 


THE  WHOLE  IDEA  that  data 
needs  to  be  protected,  and 
that  users  need  to  convince 
a  computer  that  they’re  wor¬ 
thy  of  seeing  the  data  on  that 
computer— in  other  words,  the  entire  infor¬ 
mation  security  industry— exists  because  of 
some  punk  undergraduates  at  the  Univer¬ 
sity  of  Illinois. 

It  was  the  early  1970s  and,  as  Barry 
Schrager  remembers  it,  the  undergrads 
were  accessing  the  mainframe  in  order  to 
trash  graduate  students’  research  data.  But 
why?  “Just  for  fun,”  says  Schrager,  who  at 
the  time  was  assistant  director  at  Illinois’ 
computer  center.  Schrager  realized  that  the 
mainframe,  the  data  on  it,  needed  protec¬ 
tion  from  a  perpetual  threat  that  one  should 
never  underestimate:  typical  undergradu¬ 
ate  behavior. 

By  1972,  IBM  had  learned  of  Schrager’s 
security  efforts  and  asked  him  to  create 
a  security  project  for  its  flagship  main¬ 
frames.  The  foundation  of  this  work  with 
IBM,  called  the  Share  project,  was  based  on 
the  concept  of  system  integrity,  meaning  a 
normal  user  must  be  incapable  of  bypass¬ 
ing  the  formal  interfaces  of  an  operating 


BARRY  SCHRAGER,  the  original  architect 
of  mainframe  security,  hasn’t  lost  faith  that 
his  approach  to  securing  the  enterprise  is 
the  superior  approach.  And  he  believes  the 
future  of  security  can  be  found  in  the  past. 


A 


system  to  gain  access.  It 
seems  obvious  now,  but 
back  then,  with  a  bunch 
of  researchers  sharing  a 
few  big  computers  in  a  col¬ 
legial  atmosphere,  it  was 
a  fresh,  even  daring  idea. 

To  look  at  data,  you  had  to 
have  permission.  Later  in 
the  ’70s,  Schrager  would 
develop  ACF2,  a  mainframe 
authentication  mechanism  that  succeeded 
IBM’s  own  software,  RACF.  ACF2  and  its 
descendants  are  still  used  today. 

Fast-forward  three-plus  decades  and 
Schrager,  like  everyone,  sees  an  entirely 
different  computing  landscape.  Yet  when 
he  thinks  about  how  to  secure  it,  he  keeps 
coming  back  to  the  original  tenets  that 


came  out  of  1972.  He  keeps 
returning  to  centralized 
authentication,  to  simplifi¬ 
cation,  to  shared  services, 
to  default  protection.  He 
keeps  coming  back  to 
mainframes.  CSO  Execu¬ 
tive  Editor  Scott  Berinato 
spoke  with  Schrager,  who 
now  works  with  software 
and  services  provider  Van¬ 
guard  Integrity  Professionals,  still  preach¬ 
ing  the  mainframe-centric  security  gospel. 
Schrager  spoke  about  his  faith  in  the  main¬ 
frame  security  model,  the  challenges  he 
sees  in  securing  today’s  enterprise  and  how 
information  security  problems  that  we 
think  are  new  are  nothing  of  the  sort. 

CSO:  What  was  the  primary  concept 


42  www.csoonline.com  October  2007 


Photo  top  by  Corbis 


INFORMATION  SECURITY 


behind  the  Share  project  that  you  still  find 
so  appealing? 

Schrager:  The  concept  here  was 
that  the  application  and  delivery  system 
shouldn’t  do  their  own  security.  They 
should  be  calling  a  central  service.  The  idea 
was  to  specifically  take  security  out  of  the 
application.  Then,  if  you  have  two  different 
ways  you’re  updating  payroll,  the  security 
will  be  consistent.  If  security  is  not  cen¬ 
tralized,  each  payroll  is  doing  its  own,  you 
have  inconsistency.  The  idea  was  to  share 
security.  And,  beyond  the  technical,  the 
Share  project  was  the  ability  for  people  to 
get  together  and  work  together.  Still,  it  took 
five  or  10  years  for  applications  or  vendors 
to  follow  suit  and  externalize  security. 

CSO:  Five  or  10  years? 

Schrager:  Yes.  In  the  early  ’70s,  the 
computing  industry  was  a  bunch  of  odd 
ducks.  It  was  anyone  with  a  computer 
center  that  wasn’t  closed.  It  was  universi¬ 
ties,  service  bureaus  and  the  Department 
of  Defense.  I  didn’t  get  input  from  private 
industry  or  from  financial  institutions  at 
all,  even  though  they  used  mainframes. 
Then  in  ’77,  the  Foreign  Corrupt  Practices 
Act  dictated  that  companies  had  to  prove 
they  were  securing  international  transac¬ 
tions.  Suddenly,  everyone  got  on  board. 

CSO:  Radically  insecure  private  sector, 
followed  by  legislation  that  forces  compa¬ 
nies  to  adopt  more  secure  practices.  That 
sounds  awfully  familiar. 

Schrager:  Yes.  What  you’re  seeing  now 
with  Sarbox,  HIPAA  and  other  things.  I’ve 
seen  this  before. 

CSO:  We  tend  to  characterize  the 
current  security  landscape  as  new  and 
uncharted  territory.  You’re  saying  it’s  not? 

Schrager:  Not  at  all.  Take  identification. 
How  many  do  you  have?  Too  many,  right? 
One  of  the  biggest  concerns  as  mainframes 
took  off  was  identities.  All  these  mainframe 
guys  were  complaining  they  had  too  many 
and  it  was  hard  to  manage  them  all.  That 
was  a  huge  problem  on  the  mainframes!  We 
talked  authorization,  about  logical  security 
and  journaling  capabilities.  Now  they  call  it 
authentication,  authorization  and  account¬ 
ing,  AAA,  but  it’s  the  same  concepts  that  we 
were  talking  about  in  1974. 

CSO:  Of  the  security  concepts  from 
the  mainframe  that  you  believe  can  help 
improve  enterprise  security  today— includ¬ 
ing  making  data  protection  default  on. 


simplifying  enterprise  architecture,  to 
centralization  of  security— which  is  most 
important? 

Schrager:  The  most  important  lesson 
we  should  have  is  to  have  a  conceptually 
centralized  security  approach.  Nowadays 
we  have  SAP,  Oracle  and  everyone  else  hav¬ 
ing  their  own  security.  What  we  really  need 
to  create  is  a  framework  for  a  single  security 
approach.  We  also  really  need  a  centralized 
place  that  recognizes  an  attack  in  progress 
on  a  computer.  If  you  have  to  look  at  billions 
of  log  entries  stored  all  over  the  place  to  find 
unusual  events  in  your  enterprise,  it’s  too 
late. 

CSO:  It  sounds  like  you’re  saying  we 
need  more  architects  and  fewer  engineers. 

Schrager:  Yes.  We  need  a  lot  more 
architects.  And  a  lot  more  cooperation 
between  the  people  designing  products. 
Cooperation  with  other  people  designing 
products  around  their  products.  How  do 
I  provide  better  enterprisewide  security?  I 
get  Oracle  and  SAP  to  provide  a  common 
interface  that  allows  me  to  manage  and 
use  one  security  product  regardless  of  the 
applications  I’m  using. 

CSO:  And  to  do  this  you  say  we  should 
rely  on  mainframes  for  security. 

Schrager:  It’s  a  great  option.  For  some 
reason  people  keep  thinking  that  the 
mainframe  is  dying.  It’s  actually  enjoying 
growth.  But  there  are  ways  to  adapt  the 
ideas  to  nonmainframe  environments. 

CSO:  Which  era  appreciates  security 
more,  the  current  one  or  the  1970s  main¬ 
frame  era? 

Schrager:  Right  now,  it’s  the  same  as 
the  early  1980s.  People  found  out  you  could 
do  these  things  with  security  we  developed 
in  the  1970s  and  they  jumped  on  the  band¬ 
wagon.  People  are  jumping  on  the  band¬ 
wagon  again,  but  it’s  so  complex  now.  And 
the  thing  to  do  is  to  try  and  simplify  the 
enterprise. 

CSO:  But  often  people  will  say  that  to 
achieve  simplicity  you  must  give  up  flexibil¬ 
ity  or  functionality. 

Schrager:  If  you  look  at  the  mainframe, 
from  an  application  point  of  view,  it’s  pretty 
simple  but  highly  functional.  Yes,  there’s 
complexity  behind  it.  But  the  point  is  just 
because  there’s  a  lot  going  on  underneath 
doesn’t  mean  it  has  to  be  complex  for  the 
administrator. 

CSO:  In  other  words,  the  current  gen¬ 


eration  hasn’t  done  a  good  job  keeping  the 
complexity  under  the  hood? 

Schrager:  Right.  Take  SOA,  for  exam¬ 
ple.  You  have  one  delivery  system  passing 
data  through  12  layers  of  transformation. 

CSO:  But  enterprise  computing  is  so 
complex  now,  it  seems  a  little  quixotic  to 
think  you  can  simplify. 

Schrager:  That’s  why  the  role-based 
stuff  is  coming.  I  put  a  person  in  a  role,  then 
create  groups  of  people  in  similar  roles,  and 
I  reduce  complexity.  I  categorize  the  data. 
Once  you  start  talking  about  that,  you  have 
a  better  chance.  The  only  way  you  can  deal 
with  it  is  at  the  architectural  level. 

“How  do  I  provide 
better  security? 

I  get  Oracle  and 

SAP  to  provide 
a  common 
interface  that 
allows  me  to  use 
one  security  product 
regardless  of  the 
application.” 

CSO:  So  the  barrier  to  your  vision  of 
simplicity  is  the  up-front  cost  of  transform¬ 
ing  the  enterprise.  Of  creating  roles  and 
groups  and  categorizing  data  and  so  forth. 

Schrager:  Yes.  You  read  the  discus¬ 
sion  lists,  and  that’s  a  huge  problem  when 
you’re  trying  to  move  over  to  the  simpler 
approach.  One  company,  it  took  them  a 
year.  It’s  hard. 

CSO:  Hard,  but  you  still  believe 
inevitable. 

Schrager:  It  is.  Otherwise  you  are 
exposed  to  the  atrophy  effect.  You  won’t  be 
able  to  keep  up.  Systems  fail  over  time,  and 
the  more  places  you  have  the  data,  the  more 
rules  you  have  in  more  places,  the  worse 
the  problem.  Eventually  it’s  not  even  that 
you  can’t  keep  up,  it’s  that  you  can’t  grasp 
what’s  going  on  in  the  enterprise  from  a 
security  perspective.  Total  atrophy.  ■ 


Reach  Executive  Editor  Scott  Berinato  ■■■ 
sberinato@cxo.com. 


October  2007  www.csoonline.coni 


[ undercover] 

By  Anonymous 


Happy  Campers 

Juggling  the  needs  of  top  performers  and  less-seasoned  team 
members  can  be  difficult,  but  it’s  critical  to  everyone’s  growth 


The  e-mail  was  from  one  of  my 
best  engineers,  and  it  began,  “I 
don’t  understand  why  you  keep 
giving  these  important  projects 
to  people  with  a  track  record  of 
not  performing.  John  hasn’t  completed  a 
task  yet  without  someone  coming  in  to  bail 
him  out  at  the  last  minute.  I  can  deliver  this 
task  in  less  time  and  give  you  a  better  prod¬ 
uct  and  you  know  it!  I’m  concerned  about 
how  you  are  managing  this  team.” 

My  first  reaction  was  “What!  You’re 
concerned  about  my  management  style? 
I’ve  been  doing  this  leadership  stuff  longer 
than  you’ve  been  alive  and  I  think  I  know 
what  I’m  doing.”  My  second  thought  was 
“Uh  oh,  I  have  bigger  problems  than  get¬ 
ting  this  individual  job  done.  Now  I  have  to 
nurture  two  people,  but  only  one  of  them 
is  the  real  issue  and  the  other  one  is  my 
best  guy!” 

The  Dangers  of  Class  Warfare 

You  know  the  drill.  If  you  are  lucky  and  have 
recruited  well,  you  have  a  couple  of  people 
who  are  always  ready  for  a  new  challenge 
and  are  willing  to  tackle  literally  anything. 
In  fact,  they  thrive  when  the  stress  is  high 
and  the  challenges  are  significant. 

The  positive  aspect  of  such  employees  is 
that  they  are  typically  successful  and  you 
can  always  count  on  them  for  their  best 
effort. 

The  negative  aspect  is  that  it’s  easy  to 
find  yourself  overloading  these  “A”  play¬ 
ers.  Because  our  days  are  filled  with  crises 
and  stress,  these  go-to  guys  are  the  folks 
you  can  absolutely  count  on  for  success... 
just  like  pushing  the  Staples  Easy  Button! 
That’s  the  problem  though,  it’s  too  easy!  The 
nullifying  outcome  is  that  your  “B”  play¬ 
ers  will  eventually  grow  resentful  if  a  few 


superstars  seem  to  be  getting  all  the  impor¬ 
tant  projects.  Unless  you’re  careful,  you’ll 
soon  find  yourself  being  criticized  by  both 
groups  because  you’ve  created  a  class  war. 
The  “A”  players  will  eventually  be  unhappy 
because  you’ve  given  them  too  much  to  do, 
and  the  “B”  and  “C”  players  will  be  mad  at 
you  for  ignoring  them.  Don’t  fool  yourself 
either— even  your  people  who  know  they’re 
not  “A”  players  will  feel  left  out. 

The  “A,”  “B”  and  “C”  player  analogy  is 
obviously  a  rule  of  thumb,  but  it’s  neces¬ 
sary  to  have  some  combination  of  these 
different  people  in  your  organization.  Too 
many  of  one  without  the  others  leads  to  an 
imbalance  that  can  overwhelm  your  abil¬ 
ity  to  manage  them.  While  it’s  interesting 
to  contemplate,  can  you  imagine  an  entire 
team  of  “alpha  geeks?”  Yikes!  The  point 
is  that  while  you’ll  always  have  a  range  of 
skill  levels  in  your  organization,  you  will 
also  have  varying  levels  of  maturity,  loyalty 
and  dedication. 


Achieving  a  Blend  of 
Skills 

Alpha  geeks  tend  to  have  an 
arrogance  about  their  tech¬ 
nical  skills.  This  also  gives 
them  the  false  confidence 
that  they  must  obviously  be 
good  at  everything.  I  occa¬ 
sionally  comment  to  up-and- 
coming  leaders  that  there 
are  many  facets  to  running 
an  operation  and  they  only 
see  things  at  their  level  of 
the  organization,  just  like 
I  tend  to  only  see  things  at 
my  level  of  the  organiza¬ 
tion.  A  key  ingredient  of 
good  leadership  is  the  abil¬ 
ity  to  look  beyond  that  level 
and  attempt  to  see  the  larger  picture.  So, 
your  standard  alpha  geek  thinks  he  can  do 
everything  better  than  everyone  else.  But 
what  about  the  rest  of  your  staff— those 
‘B”  and  sometimes  even  “C”  players  who 
make  up  the  majority  of  your  team?  They 
may  not  be  superstars  but  you  count  on 
them  to  help  do  the  daily  jobs  that  are  the 
bulk  of  your  work. 

This  is  especially  true  in  the  public  sec¬ 
tor,  where  I  work  as  the  CISO  for  a  govern¬ 
ment  agency,  and  the  workforce  tends  to  be 
fairly  static  and  less  prone  to  taking  career 
risks.  Unlike  the  private  sector,  where  you 
can  cut  people  loose  for  underperforming, 
in  most  public  sector  organizations  you 
have  a  civil  service  and  organized  labor 
to  be  concerned  about  when  dismissing, 
counseling  or  disciplining  employees.  I’ve 
found  the  hard  way  that  it  takes  a  lot  more 
time  and  emotional  effort  when  you  handle 
a  personnel  performance  situation  poorly 
than  when  you  take  the  time  to  do  it  right. 


44  www.csoonline.com  October  2007 


Illustration  by  Hadley  Hooper 


Saving  Careers  Through 
Leadership 

A  big  part  of  our  job  as  leaders  of  our  secu¬ 
rity  organizations  is  to  grow  our  people.  Call 
it  mentoring,  call  it  training  or  call  it  succes¬ 
sion  planning— working  to  make  our  people 
better  is  critical  not  only  to  our  own  success 
but  to  the  success  of  our  organization,  and 
I  also  believe  it’s  a  moral  obligation  to  the 
people  and  society  in  general.  This  doesn’t 
mean  that  when  an  employee  has  a  lack  of 
aptitude  or  a  lack  of  desire  we  pour  endless 
amounts  of  time  or  money  into  training  him, 
but  it  does  mean  that  we  make  a  good  faith 
effort  to  help  our  people  be  productive.  It 
costs  a  lot  more  to  hire  a  new  employee  than 
it  does  to  make  an  existing  employee  pro¬ 
ductive  if  the  ability  and  desire  are  there. 

For  example,  I  recently  took  over  an 
organization  that  had  “leadership  prob¬ 
lems”  at  the  operational  level.  Its  manager 
had  come  in  with  a  great  reputation  as 
a  technical  wizard  but  was  floundering 
as  a  manager.  The  organization  simply 
wasn’t  getting  things  done  and  morale 


was  headed  south.  What  I  quickly  dis¬ 
covered  was  classic:  While  a  savant  and 
clear  “A”  player  in  the  technical  arena,  he 
was  a  mediocre  “C”  player  in  his  manage¬ 
ment  role  and  didn’t  know  how  to  priori¬ 
tize  tasks.  He  was  used  to  having  a  very 
defined  role  with  clear  technical  responsi¬ 
bilities,  and  my  predecessor  just  assumed 
this  guy  could  figure  it  out.  So  as  this 
young  manager  started  being  inundated 
with  issues,  he  tried  to  time-slice  each  of 
them  into  his  daily  schedule  without  del¬ 
egating  anything,  and  the  result  was  that 
nothing  was  getting  done.  My  response 
was  to  begin  providing  very  defined  tasks 
that  allowed  him  some  small  management 
successes.  This  increased  his  confidence 
and  also  increased  the  confidence  of  those 
working  for  him  that  he  was  going  to  make 
a  successful  transition  from  technician  to 
manager.  A  less  effective  reaction  to  this 
situation  would  have  been  to  simply  write 
him  off  as  a  bad  manager  and  put  him  back 
into  a  technical  role  without  attempting  to 
remedy  or  understand  the  problem. 


The  Payoff 

With  quality  management  time,  a  little 
hands-on  mentoring  and  encouragement, 
I  helped  him  recover,  and  he  has  become  a 
very  successful  technical  manager.  He’s  not 
an  “A”  player  in  the  management  role  yet 
but  that  comes  with  experience.  I  now  have 
confidence  that  he  will  grow  into  the  role. 

Another  thing  I’ve  learned  is  that  while 
you  can’t  salvage  everyone,  especially  those 
who  don’t  want  to  be  saved,  we  probably 
need  to  make  a  greater  effort  to  save  some 
of  those  “C”  players  in  our  organizations. 
Fortunately,  if  you’ve  done  the  right  thing  in 
trying  to  grow  your  employees,  in  the  event 
that  things  just  don’t  work  out,  you  have  a 
documented  trail  of  performance  weak¬ 
nesses  and  your  attempts  to  remedy  those 
gaps.  That  should  satisfy  any  HR  adminis¬ 
trator  or  union  honcho,  and  sometimes  it’s  in 
everyone’s  best  interest  to  just  move  on.  ■ 

CSO  Undercover  is  written  anony¬ 
mously  by  a  real  CSO.  Send  feedback  to 
csoundercover@cxo.com. 


Thank  you 


to  our  sponsors  for  helping  to  make  the 
PCI  Compliance  Seminar  in  New  York  possible. 


Platinum  Sponsors 


Gold  Sponsors 


=  =====  ^  Symantec,. 

Silver  Sponsors 


0  OUNCE  LABS 


The  Security  Division  of  EMC 


aGuardium  ©iiviPERW  Lumigent  TIZGR 

SAFEGUARDING  DA T ABASES'  ■  W 


Presented  by 

non 


BUSINESS  RISK  LEADERS  -!5> 


[  INDUSTRY  VIEW] 

By  Ben  Rothke 


PCI:  Smart  or  Stupid? 

The  data  security  standard  isn’t  as  complex  as  some  would  have  you  believe 


There  is  something  odd  about  the 
payment  card  industry  (PCI) 
standard.  It’s  one  of  the  best 
things  to  happen  to  the  secu¬ 
rity  of  consumer  data,  yet  many 
think  it  is  as  complex  as  rocket  science. 

PCI  requirements  fall  into  six  major 
categories:  build  and  maintain  a  secure 
network;  install  and  maintain  firewall  con¬ 
figurations;  protect  stored  data;  use  and 
regularly  update  antivirus  software;  restrict 
access  to  need-to-know;  and  monitor  and 
track  all  access  to  network  resources  and 
cardholder  data.  These  requirements  pro¬ 
vide  a  textbook  outline  of  the  fundamentals 
of  information  security.  They  reflect  atten¬ 
tion  to  detail  and  risk  management.  One 
can  sum  up  PCI  in  a  single  word:  pragmatic. 
It  takes  a  realistic  approach  to  the  problems 
of  consumer  credit  data  and  applies  a  com¬ 
mon  sense  set  of  security  solutions.  PCI 
takes  a  narrow  focus  on  what  it  attempts 
to  solve,  as  opposed  to  the  Sarbanes-Oxley 
Act,  which  lacks  any  form  of  specific  detail. 
PCI  is  a  godsend  for  the  protection  of  con¬ 
sumer  credit  card  data. 

Given  what  PCI  is  trying  to  accomplish, 
one  would  expect  it  to  be  welcomed  with 
open  arms  by  the  industry.  To  a  degree,  it 
has  been.  But  surprisingly,  there  seems  to 
be  a  cabal  that  has  chosen  to  attack,  rather 
than  embrace,  PCI.  One  recent  example: 
Michael  Mathews,  chief  operating  and  tech¬ 
nology  officer  at  security  services  company 
Cynergistek,  wrote  an  article  called  “PCI 
Has  Lost  Its  Way,  Growing  Overly  Com¬ 
plex  and  Costly,”  for  the  June  2007  issue  of 
Information  Security.  Mathews  repeatedly 
stresses  the  complexity  of  PCI. 

But  where  exactly  is  that  complexity? 
The  requirements  and  corresponding  spe¬ 
cifics  are  extremely  pragmatic  and  can  be 


classified  as  information  security  101. 

Mathews  writes  that  because  of  these 
and  other  “complications,”  many  mer¬ 
chants  remain  noncompliant  to  many  fac¬ 
ets  of  PCI  DSS.  However,  the  issue  really 
is  that  these  merchants  have  created  their 
networks  with  little  to  no  thought  of  secu¬ 
rity  and  privacy.  They  have  placed  minimal 
controls  on  their  users,  given  no  direc¬ 


tion  to  their  application  developers  nor 
documented  required  procedures  for  their 
administrators  on  how  the  network  should 
be  managed.  Merchants  are  not  noncompli¬ 
ant  as  a  result  of  PCI  DSS;  they  are  noncom¬ 
pliant  because  they  never  developed  their 
security  programs  in  the  first  place. 

In  another  example,  the  director  of  IT  at 
Virgin  Entertainment  Group  told  Computer- 
world  that  while  much  of  the  PCI  standard 
includes  good,  solid  network  and  security 
policies,  some  of  it  is  “over  the  top”  and  can 
be  confusing.  He  also  contends  that  the 
costs  of  meeting  the  requirements  do  noth¬ 
ing  to  boost  a  retail  company’s  bottom  line, 
with  no  direct  return  on  investment. 

Recent  events  demonstrate  otherwise. 


TJX  Companies  violated  some  of  the  basic 
tenets  of  the  PCI  DSS,  and  its  insecurity 
has  had  a  direct  negative  financial  effect. 
The  company  announced  that  in  one  recent 
quarter,  it  took  a  $12  million  loss,  equal  to  3 
cents  per  share,  for  costs  incurred  to  inves¬ 
tigate  and  contain  the  intrusion,  improve 
computer  security  and  systems  and  com¬ 
municate  with  customers,  as  well  as  for 
technical,  legal  and  other  fees.  The  com¬ 
pany  also  reported  that  it  expects  that  it 
will  continue  to  incur  these  types  of  costs 
related  to  the  intrusion  in  the  subsequent 
quarter  and  estimated  that  the  costs  will 
total  2  cents  to  3  cents  per  share. 

Such  breaches  are  precisely  what  PCI 
comes  to  prevent.  Had  TJX  followed  the 
principles  of  PCI  and  properly  secured  its 
systems,  it  would  have  had  a  positive  return 
on  the  investment  and  saved  the  organiza¬ 
tion  millions  of  dollars,  in  addition  to  signif¬ 
icant  negative  publicity.  Absolutely  nothing 
complex  about  that. 

All  it  takes  is  one  successful  hack  attack 
to  wipe  out  years  of  so  called  “savings” 
gleaned  from  not  implementing  security. 
Online  crime  has  become  more  sophisti¬ 
cated  and  far  better  organized  over  the  past 
several  years.  No  business  wants  to  risk 
its  bottom  line  or  consumer  confidence  on 
the  hopeful  idea  that  a  security  breach  just 
won’t  happen  to  them. 

The  time  to  take  security  seriously  is 
before  an  attack  happens,  not  after.  That  is 
what  PCI  aims  to  do.  PCI  is  the  best  thing 
that  has  happened  to  consumer  data  pro¬ 
tection  in  the  payment  industry  in  many 
years.  The  quicker  it  is  embraced  and  imple¬ 
mented,  the  better  off  we  all  will  be.  ■ 


Ben  Rothke,  CISSP,  QSA,  is  a  security  consul¬ 
tant  with  BT  INS. 


46  www.csoonline.com  October  2007 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

0  CSO  Update 

A  weekly  look  at  what's  happening  on  CSOonline.com. 

0  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

0  CSO  Career 

A  biweekly  newsletter  of  career  and  leadership-oriented 
news,  articles,  events  and  job  postings. 

0  CSO  Tech  Watch 

Monthly  update  on  technologies  for  protecting  networks, 
facilities,  employees,  intellectual  property  and  more. 

0  CSO  Security  Leader 

Leadership-related  articles  and  reports  from  CSO,  as  well 
as  tips  for  educating  employees  and  corporate  leadership. 

0  CSO  Continuity  &  Recovery 

Monthly  review  of  published  material  concerning  business 
continuity  and  disaster  recovery. 


Sign  up  now  for  CSO’s  complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


[  debriefing] 

Watching  You,  Watching  Me 


Ask  the  Paranoiac 


To  Whom  It  May  Concern:  After  a 

lengthy  career  growing  profits  at  a  mili¬ 
tary  contract  firm  that  manufactured 
PowerPoint  presentations  for  military 
contract  firms,  I’m  now  a  newly  minted, 
private  industry  CSO.  My  problem  can  be 
broken  down  into  three  sections,  which  are 
shown  here  in  this  agenda  slide.  The  surveil¬ 
lance  program.  The  acceptable  computer 
use  policy.  And  employee  morale.  Let’s 
dig  down  into  each  of  these  one  at  a  time... 
-New  Executive 

Dear  New  Executive:  I’ve  cut  off  your 
e-mail,  sparing  our  readers  the  ensuing  58 
pages  and  371  bullet  points.  You’re  a  CSO  now; 
put  the  PowerPoint  down!  As  for  employee 
morale,  the  answer  is  easy:  More  surveillance 
and  monitoring!  Employees  can’t  remain  unen- 
thusiastic  if  you  can  always  see  and  promptly 
modify  their  behavior,  right? 


you’re  kind  of  interested  but  at  the  same 
time  you’ve  already  made  up  your  mind.  Any¬ 
way,  all  of  this  obviously  means  he’s  going  to 
cut  my  budget  in  half.  Please  help  me  with 
this  forthcoming  crisis.  -Empty  Pockets 
Dear  EP:  Happy  to  help.  Using  a  secure, 
disposable  cell  phone,  call  011  7  555  2436764. 

A  man  will  answer.  You  say  to  him,  “Great 
vodka  has  no  flavor,  just  a  kick.”  The  man  will 
hang  up  and  a  massive  denial-of-service  attack 
against  your  network  will  have  begun.  This 
should  keep  your  budget  intact  for  six  more 
months.  No  charge,  good  luck! 


Dear  Paranoiac:  Recently  I  was  eating  a  jelly 
doughnut  while  opening  my  mail.  While  read¬ 
ing  one  letter  from  a  disgruntled  user  upset 
with  our  monitoring-goes-home-with-you 
policy,  I  noticed  a  white  powder  on  the  letter. 
My  pocket  magnifier  seemed  to  indicate  the 
powder  was  indeed  crystallized  sucrose,  but 
you  can  never  be  too  careful.  I’ve  enclosed  a 
sample  for  you  to  examine.  -Bill  Jones,  CSO 
Jones:  Thanks  for  sending.  As  you  know, 
after  my  mail  arrives  in  a  hermetically  sealed 
box  it  gets  X-rayed  and  tagged  and  passes 
through  an  irradiation  chamber.  A  robotic 
arm  in  a  clean  room  opens  all  my  packages. 
Hi-def  cameras  then  allow  me  to  view  the  mail 
from  another  room.  I  had  the  powder  sample 
delivered  through  a  sealed,  negative-pressure 
vestibule  between  the  rooms.  I  then  tasted  the 
powder.  It’s  not  sugar.  Good  luck! 


Salutations  Mr.  Paranoid:  It  is  with  upper¬ 
most  congradulations  [sic]  that  I  offer  this 
notification.  You  have  won  our  Foreign  Tour¬ 
ism  lottery.  As  previous  undersecretary,  I  am 
prepared  to  remit  your  winnings  of  5  million 
dollars  US.  Please  advise  us  of  your  personal 
banking  account  numbers  and  passwords  so 
I  may  make  this  deposit  on  your  behalf. 

-Best  sincerities,  Mr.  L.  Francis,  esq. 

Mr.  Francis,  esq.:  This  is  so  fantastic! 

I’ve  never  won  anything  before!  Wow!!!  I  can’t 
wait  to  tell  Mrs.  P.  Attached  please  find  my  last 
bank  statement,  which  should  include  all  the 
information  you  need. 


P:  I  am  dismayed  that  you  hide  behind  this 
pseudonym.  Do  you  not  have  the  cojones  to 
stand  behind  your  opinions?  -Anonymous 
P.S.  Please  don’t  publish  my  name,  company, 
or  other  personally  identifying  information. 

Dear  Brian:  Thank  you  for  writing.  I  love 
what  you’ve  done  with  the  garden  at  the 
summer  place,  but  the  master  suite  color  is 
dreadful.  Don’t  forget  your  license  expires  this 
month.  Also,  Lucinda  knows;  you  should  be 
more  careful. 


Paranoiac:  I’m  a  veteran  CISO.  Recently, 
the  CEO  took  me  to  a  crowded,  noisy  bar. 

He  ordered  a  microbrew.  I  followed  suit. 

He  said,  “So  how’s  this  malware  problem 
going  to  affect  us?”  I  told  him  we  were  in  a 
strong  position  to  mitigate  those  risks.  He 
said  “Mm-hmm"  but  not  in  that  uninterested 
way-more  like  in  that  way  you  say  it  when 


48  www.csoontine.com  October  2007 


Illustration  by  Steve  Munday 


Who  provides  the 
cyber  intelligence  that 
can  keep  your  company 
out  of  the  dark? 


Cyveillance.  The  world  leader  in  cyber  intelligence. 

Every  day,  new  threats  emerge  online  that  could  harm  the  very  core  of  your  business 
That’s  why  industry  leaders  are  turning  to  Cyveillance  for  a  proven  intelligence-led 
approach  to  address  the  full  scope  of  today’s  online  risk  environment. 

From  malware  and  identity  theft,  to  phishing,  unlicensed  product  sales,  and 
corporate  espionage-Cyveillance  covers  the  entire  spectrum  of  Internet  risks.  With 
the  most  comprehensive  Internet  monitoring  infrastructure,  a  real-time  portal,  and 


to  stop  threats  before  they  cause  harm. 

Don’t  depend  on  conventional  monitoring  solutions  to  keep  your  organization 
in  the  know.  Stay  on  top  of  online  threats  with  Cyveillance,  the  world  leader  in 
cyber  intelligence. 

Download  the  new  white  paper: 

Intelligence-Led  Security 

www.cyveillance.com/CSO 


C7 


i 


■  > — -s  Airfares,  hotels,  vacations,  causes,  car  rentals  and  more  at  Travelocity.com  -  Microsoft  Internet  Explorer  EjBgitEa 
^  \  V  https://wvnv.travelocity.com/  »  ■;  Identified  by  Verisign  » 


<Sr  ‘S-  Travel:  Airfares,  hotels,  vacations,  cruises,  car  rent... 


1>  |  X  ||  Windows  /.lye" .  P  ▼  )| 

ft  v  0  ’  #  *  IL^  £*9«  *  &  loots  ▼  ”  j 


Welcome  to  Triweloatyl  Jqm  today 
Tree*  fare*  to  your  fovtxie  dcstsMHons  -  Sign  up  Afrcady  a  member?  Sian  in 

*  travelocity- 

Customer  Care  |  My  Stuff 

Vacation  Packages  lights  Hotels 

Caraffta*  Cruises  Last  Mma;  Packages  Activities 

i  : 

HonU  I 

\  "  - j 

Travel  fc\fo  Center  Fight  Status  Destination  Guides  Travetooty  Business  About  Traveiooty  Gift  Idea:  Travetocev  Hote(  Gift  Card  .  OrtSt 


17  HtglVt 

„.k 


Find  Me  The  Best  Priced  Trip! 

fl»  frightrilertef  »  Hotel  *  Car 


r  Coiroarp  surrourKina  airports  Q 
r‘  Exva o.iii  '  .MM3 os  ,  r  FhUiWa 

Depart  | — v3^yyy>  |  { Anytme  jrj 

Return:  (mm'3d/Vy>y" ( Anytme  "*▼] 

\ 

A4uts(ie-64l  Mnoca(2-17)  Seniors  (65.)  Q 

HU  F3t  FB 


We’ve  given  online  security  a  whole  new  color. 

Before  another  visitor  abandons  your  site,  consider 
why  sites  like  eBay;  Travelocityf  and  Charles 
Schwab®  use  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates.  This  new  technology  turns  the  address 
bar  in  high-security  browsers  green,  indicating  it’s 
safe  to  transact  on  a  site.  That’s  the  power  of  the 
Web’s  most  trusted  name  in  security.  VeriSign. 

So  the  world  can:  proceed  securely  to  checkout. 


Get  your  free  EV  white  paper  at  www.verisign.com/dm/evssl  or  call  1-866-893-6565. 


©2007  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  checkmark  circle,  VeriSign  Secured,  and  other 
trademarks,  service  marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in 
the  United  States  and  foreign  countries.  All  other  trademarks  are  property  of  their  respective  owners. 


